CVE-2026-4325 PUBLISHED

Keycloak: keycloak: replay of action tokens via improper handling of single-use entries

Assigner: redhat
Reserved: 17.03.2026 Published: 02.04.2026 Updated: 02.04.2026

A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password reset links. This could lead to unauthorized access or account compromise.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
CVSS Score: 5.3

Product Status

Vendor Red Hat
Product Red Hat build of Keycloak 26.4
Versions Default: affected
  • unaffected from 26.4-14 to * (excl.)
Vendor Red Hat
Product Red Hat build of Keycloak 26.4
Versions Default: affected
  • unaffected from 26.4.11-1 to * (excl.)
Vendor Red Hat
Product Red Hat build of Keycloak 26.4
Versions Default: affected
  • unaffected from 26.4-14 to * (excl.)
Vendor Red Hat
Product Red Hat build of Keycloak 26.4.11
Versions Default: unaffected

Workarounds

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

Credits

  • Red Hat would like to thank Ngọc Chung Kim for reporting this issue.

References

Problem Types

  • Improper Isolation or Compartmentalization CWE