Keycloak Refresh Token Replay Vulnerability After Server Restart

Vulnerability

A vulnerability in Keycloak allows a remote attacker to replay a user's refresh token, even after it has been revoked, under certain conditions. This issue arises when the 'revokeRefreshToken' option is enabled and persistent session storage is used. After a server restart, internal timing mechanisms can be reset, enabling the replay of previously captured refresh tokens. Successful exploitation of this vulnerability grants unauthorized access to the victim's account, which could lead to information disclosure or privilege escalation.

Impact

Exploitation of this vulnerability allows for unauthorized access to user accounts, with potential consequences including information disclosure or privilege escalation.

Added: May 28, 2026, 6:19 AM

Updated: May 28, 2026, 6:19 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.3

exploitability

5.8

remediation

8.3

relevance

9.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.3

exploitability

5.8

remediation

8.3

relevance

9.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Keycloak Refresh Token Replay Vulnerability After Server Restart

Vulnerability

Impact

Affected Products

Keycloak

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating