CVE-2026-1035

Low CVSS: 3.1

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak’s refresh token rotation hardening can be undermined.

Vendor

Product

CWE

CWE-367

Yayın Tarihi

2026-01-21 06:15:46

Güncelleme

2026-04-02 14:16:25

Source Identifier

secalert@redhat.com

KEV Date Added

Kategoriler

CWE-367 LOW 2026

Referanslar

https://access.redhat.com/errata/RHSA-2026:6477 https://access.redhat.com/errata/RHSA-2026:6478 https://access.redhat.com/security/cve/CVE-2026-1035 https://bugzilla.redhat.com/show_bug.cgi?id=2430314