Headline
GHSA-m2w5-7xhv-w6fh: Keycloak does not validate and update refresh token usage atomically
A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak’s refresh token rotation hardening can be undermined.
Skip to content
Navigation Menu
AI CODE CREATION
GitHub CopilotWrite better code with AI
GitHub SparkBuild and deploy intelligent apps
GitHub ModelsManage and compare prompts
MCP RegistryNewIntegrate external tools
View all features
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Appearance settings
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2026-1035
Keycloak does not validate and update refresh token usage atomically
Low severity GitHub Reviewed Published Jan 21, 2026 to the GitHub Advisory Database • Updated Jan 21, 2026
Package
maven org.keycloak:keycloak-services (Maven)
Affected versions
<= 26.2.5
Description
Published to the GitHub Advisory Database
Jan 21, 2026
Last updated
Jan 21, 2026
EPSS score