Token Management Flaw in Keycloak Server by Red Hat
CVE-2026-1035

3.1LOW

Key Information:

Vendor

Red Hat
Status
Red Hat Build Of Keycloak 26.4
Red Hat Build Of Keycloak 26.4.11
Red Hat Jboss Enterprise Application Platform 8
Red Hat Jboss Enterprise Application Platform Expansion Pack
Vendor
CVE Published:
21 January 2026

What is CVE-2026-1035?

A vulnerability in the Keycloak server arises during the processing of refresh tokens. The issue is located within the TokenManager class, which is responsible for enforcing policies related to refresh token reuse. When strict rotation of refresh tokens is implemented, the lack of atomicity in validating and updating refresh token usage permits simultaneous refresh requests to circumvent the single-use policy. This can lead to unauthorized multiple access token issuance from the same refresh token, compromising the intended security measures associated with token rotation.

Affected Version(s)

Red Hat build of Keycloak 26.4 26.4.11-1

Red Hat build of Keycloak 26.4 26.4-14

Red Hat build of Keycloak 26.4 26.4-14

References

https://access.redhat.com/errata/RHSA-2026:6477
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:6478
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-1035
vdb-entryx_refsource_REDHAT

CVSS V3.1

Score:
3.1
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Mohamed Amine ait Ouchebou (mrecho) (Indiesecurity) for reporting this issue.
.