5.3

CVE-2026-4325

Keycloak: keycloak: replay of action tokens via improper handling of single-use entries

A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password reset links. This could lead to unauthorized access or account compromise.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RedhatBuild Of Keycloak Version- SwEditiontext-only
RedhatBuild Of Keycloak Version26.2 SwEditiontext-only
RedhatBuild Of Keycloak Version26.2.15 SwEditiontext-only
RedhatBuild Of Keycloak Version26.4 SwEditiontext-only
RedhatBuild Of Keycloak Version26.4.11 SwEditiontext-only
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.25% 0.161
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
secalert@redhat.com 5.3 1.6 3.6
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
CWE-653 Improper Isolation or Compartmentalization

The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.

https://access.redhat.com/security/cve/CVE-2026-4325
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2448351
Vendor Advisory
Issue Tracking
https://access.redhat.com/errata/RHSA-2026:6477
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:6478
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:6475
Vendor Advisory
https://access.redhat.com/errata/RHSA-2026:6476
Vendor Advisory