Mohamed Amine Ait Ouchebou

**Name of the Vulnerable Software and Affected Versions** Keycloak (affected versions not specified) **Description** A flaw exists in Keycloak’s refresh token processing within the `TokenManager` class, specifically related to enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This non-atomic operation allows concurrent refresh requests to bypass single-use enforcement, potentially resulting in the issuance of multiple access tokens from a single refresh token. This undermines Keycloak’s refresh token rotation hardening. The issue involves a race condition in the `TokenManager` that enables unauthorized access token generation. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.