CVE-2026-4325
Improper Isolation in Keycloak Enables Token Replay Attack
Publication date: 2026-04-02
Last updated on: 2026-04-16
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | build_of_keycloak | * |
| redhat | build_of_keycloak | 26.2 |
| redhat | build_of_keycloak | 26.2.15 |
| redhat | build_of_keycloak | 26.4 |
| redhat | build_of_keycloak | 26.4.11 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-653 | The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access or account compromise by enabling attackers to reuse consumed action tokens.
For example, an attacker could replay a password reset link to gain access to a user's account.
Exploitation requires the attacker to be logged in, but once exploited, it can bypass intended security measures for single-use tokens.
Can you explain this vulnerability to me?
This vulnerability exists in Keycloak's SingleUseObjectProvider, which is a global key-value store lacking proper type and namespace isolation.
Because of this flaw, an attacker can delete arbitrary single-use entries, such as consumed action tokens like password reset links.
This deletion allows the attacker to replay these tokens, effectively reusing them even after they were supposed to be invalid.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability in Keycloak's SingleUseObjectProvider allows deletion of arbitrary single-use entries, enabling replay of consumed action tokens. Since exploitation requires the attacker to be logged in, immediate mitigation steps include:
- Restrict and monitor user logins to prevent unauthorized access.
- Apply any available patches or updates from Keycloak or your Linux distribution vendor promptly.
- Review and tighten access controls around token usage and management.
- Monitor logs for unusual token reuse or deletion activities.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Keycloak allows attackers to replay consumed action tokens such as password reset links, potentially leading to unauthorized access or account compromise.
Such unauthorized access could result in exposure or misuse of personal or sensitive data, which may impact compliance with data protection regulations like GDPR or HIPAA that require strict controls on access and protection of user data.
However, the provided information does not explicitly detail the direct effects on compliance with these standards.