Plattform
java
Komponente
keycloak
Behoben in
26.2.15
26.2.15
26.4.14
CVE-2026-4325 is a security vulnerability discovered in Keycloak related to the SingleUseObjectProvider, a global key-value store. Due to a lack of proper type and namespace isolation, an attacker can delete arbitrary single-use entries, potentially leading to the replay of consumed action tokens like password reset links and subsequent unauthorized access or account compromise. This vulnerability impacts Keycloak versions 26.2.15 and above, and a fix is expected in a future release.
The core of the impact lies in the ability to replay action tokens. Consider a scenario where a user initiates a password reset. Keycloak generates a unique, single-use token to verify the user's identity during the reset process. CVE-2026-4325 allows an attacker to delete this token after it has been consumed by the legitimate user, but before the reset process is complete. This effectively allows the attacker to generate a new, valid token using the same identifier, bypassing the intended security mechanism. The attacker could then use this replayed token to reset the user's password, gaining unauthorized access to their account. The blast radius extends to any user who has recently initiated an action requiring a single-use token, such as password resets, multi-factor authentication enrollment, or other similar workflows. Data at risk includes user credentials, personal information, and access to sensitive resources controlled by Keycloak.
CVE-2026-4325 was published on April 2, 2026. As of this date, the vulnerability's exploitation probability is pending evaluation. There are currently no publicly known Proof-of-Concept (PoC) exploits available. It is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, nor does it have an EPSS score assigned. Monitor security advisories and threat intelligence feeds for updates on potential exploitation campaigns.
Exploit-Status
EPSS
0.04% (11% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-4325 is to upgrade to a patched version of Keycloak. The vendor has not yet specified a fixed version, so monitor Keycloak's security advisories for updates. Until the upgrade is possible, consider implementing temporary workarounds. One approach is to shorten the lifespan of single-use tokens to minimize the window of opportunity for exploitation. Another is to implement stricter validation checks on token usage, ensuring that tokens are only valid for a single use and within a limited timeframe. While not a direct fix, implementing Web Application Firewall (WAF) rules to detect and block suspicious token manipulation attempts can provide an additional layer of defense. Detection signatures, such as Sigma rules or YARA patterns, can be developed to identify malicious activity targeting the SingleUseObjectProvider, but their effectiveness will depend on the attacker's techniques.
Actualice Keycloak a la versión 26.2.15 o superior, o a la versión 26.4.14 o superior. Esta actualización corrige una vulnerabilidad que permite a un atacante eliminar entradas de uso único, lo que podría permitir la repetición de tokens de acción consumidos, como los enlaces de restablecimiento de contraseña, lo que podría conducir a un acceso no autorizado o al compromiso de la cuenta.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
It's a Keycloak component that temporarily stores single-use data, like password reset tokens.
It could allow attackers to reset user passwords without their consent, compromising their accounts.
Restricting access to the SingleUseObjectProvider and enabling multi-factor authentication (MFA) are temporary measures.
Red Hat is working on a patch and it is expected to be available shortly. Check official Red Hat sources for updates.
Change your password immediately and contact your Keycloak administrator to investigate the incident.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.