CVE-2026-1035
📋 TL;DR
This vulnerability allows attackers to bypass Keycloak's refresh token rotation security feature when strict rotation is enabled. Concurrent refresh requests can issue multiple access tokens from the same refresh token, undermining single-use enforcement. This affects Keycloak servers with strict refresh token rotation enabled.
💻 Affected Systems
- Keycloak
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could maintain persistent unauthorized access to protected resources by repeatedly obtaining new access tokens from a single compromised refresh token.
Likely Case
Unauthorized access token issuance allowing temporary access to protected resources until the refresh token eventually expires or is revoked.
If Mitigated
Limited impact if proper monitoring detects unusual token usage patterns and tokens have short expiration times.
🎯 Exploit Status
Requires existing refresh token and ability to send concurrent requests; timing window exploitation needed
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific patched versions
Vendor Advisory: https://access.redhat.com/security/cve/CVE-2026-1035
Restart Required: Yes
Instructions:
1. Check current Keycloak version
2. Apply vendor-provided patch/update
3. Restart Keycloak service
4. Verify fix implementation
🔧 Temporary Workarounds
Disable Strict Refresh Token Rotation
allTemporarily disable strict refresh token rotation feature until patch can be applied
Update Keycloak configuration to set 'refresh-token-rotation' to 'false' or less strict setting
Reduce Refresh Token Lifespan
allDecrease refresh token validity period to limit potential abuse window
Set 'refresh-token-max-reuse' to lower value in Keycloak configuration
🧯 If You Can't Patch
- Implement additional authentication layers for sensitive operations
- Enhance monitoring for unusual token usage patterns and concurrent refresh attempts
🔍 How to Verify
Check if Vulnerable:
Check if strict refresh token rotation is enabled in Keycloak configuration and version matches affected rangeCheck Version:
Check Keycloak server logs or admin console for version informationVerify Fix Applied:
Test refresh token behavior with concurrent requests to ensure single-use enforcement works correctly📡 Detection & Monitoring
Log Indicators:
- Multiple access tokens issued from same refresh token within short timeframe
- Concurrent refresh requests with same token ID
Network Indicators:
- Unusual pattern of /token endpoint requests from same client
SIEM Query:
source="keycloak" AND "refresh_token" AND count by refresh_token_id > threshold