VDB
CVE-2026-4325
CVE-2026-4325
PUBLISHED
CVSS 5.300000190734863 MEDIUM
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password reset links. This could lead to unauthorized access or account compromise.
EPSS 0.04% · 12.4th percentile
Risk Scores
CVSS v3.1
5.300000190734863
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score
0.04%
12.4th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Red Hat | Red Hat build of Keycloak 26.4.11 | |
| Red Hat | Red Hat build of Keycloak 26.2 | 26.2-18 |
| Red Hat | Red Hat build of Keycloak 26.2.15 | |
| Red Hat | Red Hat build of Keycloak 26.2 | 26.2-18 |
| Red Hat | Red Hat build of Keycloak 26.2 | 26.2.15-1 |
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4-14 |
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4.11-1 |
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4-14 |
Timeline
- Apr 2, 2026 CVE Published
- Apr 2, 2026 PoC Published
- Apr 2, 2026 Distribution Patch
- Apr 2, 2026 Security Advisory
- Apr 2, 2026 Distribution Patch
- Apr 2, 2026 Security Advisory
- Apr 2, 2026 Distribution Patch
- Apr 2, 2026 Security Advisory
- Apr 2, 2026 Distribution Patch
- Apr 2, 2026 Security Advisory
- Apr 2, 2026 Security Advisory
- Apr 3, 2026 EPSS Score
References
- RHSA-2026:6475 vendor-advisory
- RHSA-2026:6476 vendor-advisory
- RHSA-2026:6477 vendor-advisory
- RHSA-2026:6478 vendor-advisory
- https://access.redhat.com/security/cve/CVE-2026-4325 vdb
- RHBZ#2448351 issue
- https://nvd.nist.gov/vuln/detail/CVE-2026-4325 advisory