CVE-2026-1035
Race Condition in Keycloak TokenManager Enables Refresh Token Reuse
Publication date: 2026-01-21
Last updated on: 2026-04-02
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | keycloak | to 0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a flaw in the Keycloak server's TokenManager class during refresh token processing. When strict refresh token rotation is enabled, the system does not atomically validate and update refresh token usage. This creates a race condition (Time-of-Check to Time-of-Use) that allows an attacker to send concurrent refresh requests and bypass the single-use enforcement of refresh tokens. As a result, multiple access tokens can be issued from the same refresh token, undermining the intended security mechanism. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to reuse a single refresh token multiple times to obtain multiple valid access tokens. This undermines the security of the refresh token rotation mechanism, potentially allowing unauthorized access to protected resources by issuing multiple access tokens from one refresh token. Although the severity is classified as low, it can weaken the authentication security in environments using Keycloak with strict refresh token rotation enabled. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves monitoring for concurrent refresh token requests that reuse the same refresh token multiple times before the usage counter is updated. Network or application logs should be analyzed for multiple refresh token requests with identical tokens occurring simultaneously or in rapid succession. Specific commands depend on your logging and monitoring setup, but generally, you can use log analysis tools or commands like 'grep' on Keycloak server logs to search for repeated refresh token usage. For example, you might run: grep 'refresh_token' /path/to/keycloak/logs/server.log | sort | uniq -c | sort -nr to identify repeated token usage patterns. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include disabling strict refresh token rotation or configuring the refreshTokenMaxReuse policy to allow some reuse temporarily until a patch is applied. Additionally, update Keycloak to a fixed version once available. Monitoring and rate-limiting refresh token requests can also help reduce the risk of exploitation. Applying any vendor-provided patches or updates addressing this TOCTOU race condition is recommended as the definitive fix. [1]