CVE-2026-4325
Received Received - Intake
Improper Isolation in Keycloak Enables Token Replay Attack

Publication date: 2026-04-02

Last updated on: 2026-04-16

Assigner: Red Hat, Inc.

Description
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password reset links. This could lead to unauthorized access or account compromise.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-4325
EUVD
EUVD-2026-18210
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
redhat build_of_keycloak *
redhat build_of_keycloak 26.2
redhat build_of_keycloak 26.2.15
redhat build_of_keycloak 26.4
redhat build_of_keycloak 26.4.11
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-653 The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

The vulnerability can lead to unauthorized access or account compromise by enabling attackers to reuse consumed action tokens.

For example, an attacker could replay a password reset link to gain access to a user's account.

Exploitation requires the attacker to be logged in, but once exploited, it can bypass intended security measures for single-use tokens.

Executive Summary

This vulnerability exists in Keycloak's SingleUseObjectProvider, which is a global key-value store lacking proper type and namespace isolation.

Because of this flaw, an attacker can delete arbitrary single-use entries, such as consumed action tokens like password reset links.

This deletion allows the attacker to replay these tokens, effectively reusing them even after they were supposed to be invalid.

Mitigation Strategies

The vulnerability in Keycloak's SingleUseObjectProvider allows deletion of arbitrary single-use entries, enabling replay of consumed action tokens. Since exploitation requires the attacker to be logged in, immediate mitigation steps include:

  • Restrict and monitor user logins to prevent unauthorized access.
  • Apply any available patches or updates from Keycloak or your Linux distribution vendor promptly.
  • Review and tighten access controls around token usage and management.
  • Monitor logs for unusual token reuse or deletion activities.
Compliance Impact

The vulnerability in Keycloak allows attackers to replay consumed action tokens such as password reset links, potentially leading to unauthorized access or account compromise.

Such unauthorized access could result in exposure or misuse of personal or sensitive data, which may impact compliance with data protection regulations like GDPR or HIPAA that require strict controls on access and protection of user data.

However, the provided information does not explicitly detail the direct effects on compliance with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4325. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart