CVE-2026-1035 Org.keycloak.protocol.oidc: keycloak refresh token reuse bypass via toctou race condition

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. Thi...

Keycloak security vulnerabilities

Keycloak is an open-source identity and access management solution developed by Keycloak itself. Keycloak has a security vulnerability, which stems from the TokenManager class’s inability to perform atomic validation and updates during the processing of refresh tokens. This issue may allow...