Lucene search
K

257 matches found

NVD
NVD
added 2026/02/20 5:25 p.m.14 views

CVE-2026-1842

HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used. Because refresh tokens have a significantly longer lifetime default one year, an authenticated...

8.6CVSS0.00207EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/02/20 4:23 p.m.6 views

CVE-2026-1842 HyperCloud Improper Refresh Token Validation and Access Token Invalidation Allows Long-Term Unauthorized Access

HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used. Because refresh tokens have a significantly longer lifetime default one year, an authenticated...

8.6CVSS5.5AI score0.00207EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/02/20 4:23 p.m.28 views

CVE-2026-1842 HyperCloud Improper Refresh Token Validation and Access Token Invalidation Allows Long-Term Unauthorized Access

HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used. Because refresh tokens have a significantly longer lifetime default one year, an authenticated...

8.6CVSS0.00207EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/02/20 12:0 a.m.5 views

PT-2026-21250

HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used. Because refresh tokens have a significantly longer lifetime default one year, an authenticated...

8.6CVSS5.5AI score0.00207EPSS
Exploits0References2
Tenable Nessus
Tenable Nessus
added 2026/02/03 12:0 a.m.3 views

Linux Distros Unpatched Vulnerability : CVE-2026-1035

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse...

3.1CVSS5.3AI score0.00282EPSS
Exploits0References2
NVD
NVD
added 2026/01/21 7:16 a.m.8 views

CVE-2025-14559

A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a...

6.5CVSS0.00443EPSS
Exploits0References4
Snyk
Snyk
added 2026/01/21 6:46 a.m.4 views

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition via the validateTokenReuse method in the TokenManager class. ...

3.1CVSS5.9AI score0.00282EPSS
Exploits0References2
OSV
OSV
added 2026/01/21 6:31 a.m.2 views

GHSA-M2W5-7XHV-W6FH Keycloak does not validate and update refresh token usage atomically

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. Thi...

3.1CVSS5.8AI score0.00282EPSS
Exploits0References7
Github Security Blog
Github Security Blog
added 2026/01/21 6:31 a.m.8 views

Keycloak does not validate and update refresh token usage atomically

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. Thi...

3.1CVSS5.4AI score0.00282EPSS
Exploits0References7Affected Software1
NVD
NVD
added 2026/01/21 6:15 a.m.12 views

CVE-2026-1035

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. Thi...

3.1CVSS0.00282EPSS
Exploits0References4
OSV
OSV
added 2026/01/21 6:15 a.m.6 views

UBUNTU-CVE-2026-1035

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. Thi...

3.1CVSS5.7AI score0.00282EPSS
Exploits0References4
UbuntuCve
UbuntuCve
added 2026/01/21 6:15 a.m.5 views

CVE-2026-1035

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. Thi...

3.1CVSS5.8AI score0.00282EPSS
Exploits0References3
CVE
CVE
added 2026/01/21 5:52 a.m.30 views

CVE-2026-1035

CVE-2026-1035 describes a race condition in Keycloak’s TokenManager when strict refresh token rotation is enabled: the validation/update of refresh token usage is not atomic, allowing concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from one refresh to...

3.1CVSS5.4AI score0.00282EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/01/21 5:52 a.m.3 views

CVE-2026-1035

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. Thi...

3.1CVSS5.4AI score0.00282EPSS
Exploits0References5
EUVD
EUVD
added 2026/01/21 5:52 a.m.5 views

EUVD-2026-3691

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. Thi...

3.1CVSS5.4AI score0.00282EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/01/21 5:52 a.m.27 views

CVE-2026-1035 Org.keycloak.protocol.oidc: keycloak refresh token reuse bypass via toctou race condition

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. Thi...

3.1CVSS0.00282EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/01/21 5:52 a.m.8 views

CVE-2026-1035

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. Thi...

3.1CVSS5.5AI score0.00282EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/01/21 12:0 a.m.7 views

PT-2026-3754

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. Thi...

3.1CVSS5.4AI score0.00282EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/01/21 12:0 a.m.6 views

PT-2026-3753

Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in the keycloak-services component of Keycloak. This issue allows the issuance of access and refresh tokens for disabled users, potentially leading to unauthorized use of...

8.5CVSS5.4AI score0.00443EPSS
Exploits0References19
OSV
OSV
added 2026/01/13 3:7 p.m.8 views

GHSA-3FM2-XFQ7-7778 HAXcms Has Stored XSS Vulnerability that May Lead to Account Takeover

Summary Stored XSS Leading to Account Takeover Details The Exploit Chain: 1.Upload: The attacker uploads an .html file containing a JavaScript payload. 2.Execution: A logged-in administrator is tricked into visiting the URL of this uploaded file. 3.Token Refresh: The JavaScript payload makes a...

8CVSS6.2AI score0.01036EPSS
Exploits3References5
Rows per page
Query Builder