CVE-2026-1035

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description A flaw exists in Keycloak’s refresh token processing within the TokenManager class, specifically related to enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This non-atomic operation allows concurrent refresh requests to bypass single-use enforcement, potentially resulting in the issuance of multiple access tokens from a single refresh token. This undermines Keycloak’s refresh token rotation hardening. The issue involves a race condition in the TokenManager that enables unauthorized access token generation.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.