← Back to CVEs
CVE-2026-4325
MEDIUM5.3
Description
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password reset links. This could lead to unauthorized access or account compromise.
CVE Details
CVSS v3.1 Score5.3
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack VectorNETWORK
ComplexityHIGH
Privileges RequiredNONE
User InteractionREQUIRED
Published4/2/2026
Last Modified4/3/2026
Sourcenvd
Honeypot Sightings0
Weaknesses (CWE)
CWE-653
References
https://access.redhat.com/errata/RHSA-2026:6475(secalert@redhat.com)
https://access.redhat.com/errata/RHSA-2026:6476(secalert@redhat.com)
https://access.redhat.com/errata/RHSA-2026:6477(secalert@redhat.com)
https://access.redhat.com/errata/RHSA-2026:6478(secalert@redhat.com)
https://access.redhat.com/security/cve/CVE-2026-4325(secalert@redhat.com)
https://bugzilla.redhat.com/show_bug.cgi?id=2448351(secalert@redhat.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.