FKIE_CVE-2026-1035

Vulnerability from fkie_nvd - Published: 2026-01-21 06:15 - Updated: 2026-04-02 14:16
Severity ?
3.1 (Low) - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
Summary
A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak’s refresh token rotation hardening can be undermined.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2026:6477
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2026:6478
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2026-1035
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2430314
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak\u2019s refresh token rotation hardening can be undermined."
    },
    {
      "lang": "es",
      "value": "Se encontr\u00f3 una falla en el servidor Keycloak durante el procesamiento de tokens de actualizaci\u00f3n, espec\u00edficamente en la clase TokenManager responsable de aplicar las pol\u00edticas de reutilizaci\u00f3n de tokens de actualizaci\u00f3n. Cuando la rotaci\u00f3n estricta de tokens de actualizaci\u00f3n est\u00e1 habilitada, la validaci\u00f3n y actualizaci\u00f3n del uso del token de actualizaci\u00f3n no se realizan de forma at\u00f3mica. Esto permite que las solicitudes de actualizaci\u00f3n concurrentes eludan la aplicaci\u00f3n del uso \u00fanico y emitan m\u00faltiples tokens de acceso desde el mismo token de actualizaci\u00f3n. Como resultado, el endurecimiento de la rotaci\u00f3n de tokens de actualizaci\u00f3n de Keycloak puede verse socavado."
    }
  ],
  "id": "CVE-2026-1035",
  "lastModified": "2026-04-02T14:16:25.143",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 3.1,
          "baseSeverity": "LOW",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 1.4,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-21T06:15:46.937",
  "references": [
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2026:6477"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2026:6478"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/security/cve/CVE-2026-1035"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430314"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-367"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.