Time-of-check Time-of-use (TOCTOU) Race Condition

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition via the validateTokenReuse method in the TokenManager class. ...

Keycloak does not validate and update refresh token usage atomically

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. Thi...

GHSA-M2W5-7XHV-W6FH Keycloak does not validate and update refresh token usage atomically

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. Thi...

CVE-2026-1035

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. Thi...

CVE-2026-1035

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. Thi...

UBUNTU-CVE-2026-1035

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. Thi...

CVE-2025-14559

A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a...

CVE-2026-1035 Org.keycloak.protocol.oidc: keycloak refresh token reuse bypass via toctou race condition

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. Thi...

CVE-2026-1035 Org.keycloak.protocol.oidc: keycloak refresh token reuse bypass via toctou race condition

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. Thi...

EUVD-2026-3691

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. Thi...

CVE-2026-1035

CVE-2026-1035 describes a race condition in Keycloak’s TokenManager when strict refresh token rotation is enabled: the validation/update of refresh token usage is not atomic, allowing concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from one refresh to...

CVE-2026-1035

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. Thi...

CVE-2026-1035

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. Thi...

CVE-2026-1195

A weakness has been identified in MineAdmin 1.x/2.x. This impacts the function refresh of the file /system/refresh of the component JWT Token Handler. This manipulation causes insufficient verification of data authenticity. It is possible to initiate the attack remotely. The attack is considered ...

Keycloak security vulnerabilities

Keycloak is an open-source identity and access management solution developed by Keycloak itself. Keycloak has a security vulnerability, which stems from the TokenManager class’s inability to perform atomic validation and updates during the processing of refresh tokens. This issue may allow...

PT-2026-3753

Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in the keycloak-services component of Keycloak. This issue allows the issuance of access and refresh tokens for disabled users, potentially leading to unauthorized use of...

Keycloak security vulnerabilities

Keycloak is an open-source identity and access management solution developed by Keycloak itself. Keycloak has a security vulnerability, which stems from a business logic flaw in the token exchange mechanism. This flaw may lead to the issuance of access and refresh tokens for disabled users,...

PT-2026-3754

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. Thi...

Insufficient Verification of Data Authenticity

Overview mineadmin/mineadmin is a Quickly build a background management system for web applications Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity via the refresh function of the /system/refresh in the JWT Token Handler component. An attacker ca...

GHSA-43RR-X62X-Q96W MineAdmin improperly refreshes tokens

A weakness has been identified in MineAdmin 1.x/2.x. This impacts the function refresh of the file /system/refresh of the component JWT Token Handler. This manipulation causes insufficient verification of data authenticity. It is possible to initiate the attack remotely. The attack is considered ...