Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-1035— Org.keycloak.protocol.oidc: keycloak refresh token reuse bypass via toctou race condition

CVSS 3.1 · Low EPSS 0.01% · P1
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-1035

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Org.keycloak.protocol.oidc: keycloak refresh token reuse bypass via toctou race condition
Source: NVD (National Vulnerability Database)
Vulnerability Description
A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak’s refresh token rotation hardening can be undermined.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
检查时间与使用时间(TOCTOU)的竞争条件
Source: NVD (National Vulnerability Database)
Vulnerability Title
Keycloak 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Keycloak是Keycloak开源的一种开源身份和访问管理解决方案。 Keycloak存在安全漏洞,该漏洞源于TokenManager类在处理刷新令牌时验证和更新操作非原子性,可能导致并发刷新请求绕过单次使用限制。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Red HatRed Hat build of Keycloak 26.4 26.4.11-1 ~ * cpe:/a:redhat:build_keycloak:26.4::el9
Red HatRed Hat build of Keycloak 26.4 26.4-14 ~ * cpe:/a:redhat:build_keycloak:26.4::el9
Red HatRed Hat build of Keycloak 26.4 26.4-14 ~ * cpe:/a:redhat:build_keycloak:26.4::el9
Red HatRed Hat build of Keycloak 26.4.11-cpe:/a:redhat:build_keycloak:26.4::el9
Red HatRed Hat JBoss Enterprise Application Platform 8-cpe:/a:redhat:jboss_enterprise_application_platform:8
Red HatRed Hat JBoss Enterprise Application Platform Expansion Pack-cpe:/a:redhat:jbosseapxp
Red HatRed Hat Single Sign-On 7-cpe:/a:redhat:red_hat_single_sign_on:7

II. Public POCs for CVE-2026-1035

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-1035

登录查看更多情报信息。

Same Patch Batch · Red Hat · 2026-01-21 · 4 CVEs total

CVE-2025-145596.5 MEDIUMOrg.keycloak/keycloak-services: keycloak keycloak-services: business logic flaw allows una
CVE-2026-09883.7 LOWGlib: glib: denial of service via integer overflow in g_buffered_input_stream_peek()
CVE-2025-140832.7 LOWKeycloak-server: keycloak: improper access control in admin rest api leads to information

IV. Related Vulnerabilities

Same product: Red Hat build of Keycloak 26.4
Same vendor: Red Hat
Same weakness: CWE-367

V. Comments for CVE-2026-1035

No comments yet

Leave a comment