Keycloak: keycloak: replay of action tokens via improper handling of single-use entries
Summary
| CVE | CVE-2026-4325 |
|---|---|
| State | PUBLISHED |
| Assigner | redhat |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-02 13:16:26 UTC |
| Updated | 2026-04-03 16:10:52 UTC |
| Description | A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password reset links. This could lead to unauthorized access or account compromise. |
Risk And Classification
Primary CVSS: v3.1 5.3 MEDIUM from [email protected]
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS: 0.000340000 probability, percentile 0.101290000 (date 2026-04-03)
Problem Types: CWE-653 | CWE-653 Improper Isolation or Compartmentalization
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N |
| 3.1 | CNA | CVSS | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
HighPrivileges Required
NoneUser Interaction
RequiredScope
UnchangedConfidentiality
NoneIntegrity
HighAvailability
NoneCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Red Hat | Red Hat Build Of Keycloak 26.2 | unaffected 26.2.15-1 * rpm | Not specified |
| CNA | Red Hat | Red Hat Build Of Keycloak 26.2 | unaffected 26.2-18 * rpm | Not specified |
| CNA | Red Hat | Red Hat Build Of Keycloak 26.2 | unaffected 26.2-18 * rpm | Not specified |
| CNA | Red Hat | Red Hat Build Of Keycloak 26.2.15 | Not specified | Not specified |
| CNA | Red Hat | Red Hat Build Of Keycloak 26.4 | unaffected 26.4.11-1 * rpm | Not specified |
| CNA | Red Hat | Red Hat Build Of Keycloak 26.4 | unaffected 26.4-14 * rpm | Not specified |
| CNA | Red Hat | Red Hat Build Of Keycloak 26.4 | unaffected 26.4-14 * rpm | Not specified |
| CNA | Red Hat | Red Hat Build Of Keycloak 26.4.11 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| access.redhat.com/errata/RHSA-2026:6478 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:6476 | [email protected] | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-4325 | [email protected] | access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:6475 | [email protected] | access.redhat.com | |
| bugzilla.redhat.com/show_bug.cgi | [email protected] | bugzilla.redhat.com | |
| access.redhat.com/errata/RHSA-2026:6477 | [email protected] | access.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Red Hat would like to thank Ngọc Chung Kim for reporting this issue. (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| CNA | 2026-03-17T12:43:09.194Z | Reported to Red Hat. |
| CNA | 2026-04-02T12:30:00.000Z | Made public. |
Workarounds
CNA: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
There are currently no legacy QID mappings associated with this CVE.