Red Hat · Keycloak · CVE-2026-4325
Name of the Vulnerable Software and Affected Versions
Keycloak (affected versions not specified)
Description
A flaw exists in Keycloak where the SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This allows an attacker to delete arbitrary single-use entries, potentially enabling the replay of consumed action tokens like password reset links. Successful exploitation could lead to unauthorized access or account compromise.
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.