CVE-2026-1035

LOW

Org.keycloak Keycloak-services - TOCTOU Race Condition

Title source: rule

Description

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak’s refresh token rotation hardening can be undermined.

References (4)

[Vendor Advisory] https://access.redhat.com/security/cve/CVE-2026-1035

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=2430314

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2026:6477

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2026:6478

Scores

CVSS v3 3.1

EPSS 0.0001

EPSS Percentile 1.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-367

Status published

Products (8)

org.keycloak/keycloak-services 0Maven

Red Hat/Red Hat Build of Keycloak

Red Hat/Red Hat build of Keycloak 26.4 26.4-14

Red Hat/Red Hat build of Keycloak 26.4 26.4.11-1

Red Hat/Red Hat build of Keycloak 26.4.11

Red Hat/Red Hat JBoss Enterprise Application Platform 8

Red Hat/Red Hat JBoss Enterprise Application Platform Expansion Pack

Red Hat/Red Hat Single Sign-On 7

Published Jan 21, 2026

Tracked Since Feb 18, 2026