Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 53 maven packages depend on org.keycloak:keycloak-services (25 direct, 28 indirect)
Ecosystem-wide dependent count for version 26.5.7.
DescriptionCVE.org
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password reset links. This could lead to unauthorized access or account compromise.
AnalysisAI
Keycloak's SingleUseObjectProvider lacks proper type and namespace isolation, allowing unauthenticated remote attackers with user interaction to delete arbitrary single-use entries and replay consumed action tokens such as password reset links, leading to account compromise. The vulnerability requires user interaction (UI:R) and high attack complexity (AC:H), resulting in a CVSS score of 5.3. No public exploit code or active exploitation has been confirmed at time of analysis.
Technical ContextAI
Keycloak's SingleUseObjectProvider is a global key-value store mechanism responsible for managing single-use tokens and action tokens, including password reset and email verification links. The vulnerability stems from improper isolation of token types and namespaces (CWE-653: Unsupported Feature in Generator), allowing attackers to manipulate the store without proper access controls or validation. This design flaw enables an attacker to enumerate and delete entries belonging to other users or sessions, effectively invalidating the single-use constraint that these tokens are designed to enforce. The affected component is present in Red Hat Build of Keycloak across multiple versions as indicated by the wildcard CPE specification.
RemediationAI
Organizations running Red Hat Build of Keycloak should apply the vendor-released patch corresponding to their deployed version as soon as practical. Consult Red Hat's official security advisory at https://access.redhat.com/security/cve/CVE-2026-4325 for specific patched version numbers and upgrade instructions. Interim mitigations should focus on restricting access to password reset and account recovery flows to authenticated, trusted networks if operationally feasible, and monitoring for unusual token consumption patterns. Organizations should prioritize patching authentication-critical systems first, given the potential for account compromise through token replay attacks.
Same weakness CWE-653 – Improper Isolation or Compartmentalization
View allSame technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18210
GHSA-rx66-hj7g-28h7