The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-1035

CVE-2026-1035: Keycloak Auth Bypass Vulnerability

CVE-2026-1035 is an authentication bypass flaw in Keycloak that allows attackers to bypass refresh token rotation policies and issue multiple tokens. This article covers the technical details, affected versions, and steps.

Published: January 23, 2026

CVE-2026-1035 Overview

A race condition vulnerability was discovered in the Keycloak identity and access management server during refresh token processing. The flaw exists in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically, creating a Time-of-Check Time-of-Use (TOCTOU) vulnerability.

This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak's refresh token rotation hardening—a security control designed to limit the impact of token theft—can be undermined by attackers with valid credentials who can issue multiple parallel requests.

Critical Impact

Attackers can exploit this race condition to bypass refresh token rotation policies, potentially maintaining persistent access even after token revocation attempts and undermining session security controls in Keycloak deployments.

Affected Products

  • Keycloak Server (versions with strict refresh token rotation enabled)
  • Red Hat Single Sign-On (SSO) deployments using Keycloak
  • Applications relying on Keycloak's refresh token rotation for security hardening

Discovery Timeline

  • January 21, 2026 - CVE-2026-1035 published to NVD
  • January 21, 2026 - Last updated in NVD database

Technical Details for CVE-2026-1035

Vulnerability Analysis

This vulnerability is classified as CWE-367: Time-of-Check Time-of-Use (TOCTOU) Race Condition. The flaw stems from a non-atomic operation in Keycloak's token management subsystem.

When a client presents a refresh token to obtain a new access token, the TokenManager class performs two distinct operations: (1) checking whether the refresh token has already been used, and (2) marking it as used. Because these operations are not performed within an atomic transaction or protected by appropriate locking mechanisms, a narrow window exists between the check and the update.

The network-accessible nature of this vulnerability means an attacker with low-privilege credentials can exploit it remotely, though the high attack complexity requires precise timing of concurrent requests. The impact is limited to integrity—specifically, the ability to bypass refresh token rotation policies—with no direct confidentiality or availability impact.

Root Cause

The root cause is the lack of atomicity in the refresh token validation and consumption workflow within the TokenManager class. When refresh token rotation is configured in strict mode, Keycloak is supposed to invalidate a refresh token immediately after use. However, the implementation performs the "is token already used?" check and the "mark token as used" update as separate, non-atomic database operations.

This design flaw creates a race window where multiple concurrent refresh requests can all pass the "is used" check before any of them complete the "mark as used" update, allowing each request to successfully obtain new tokens.

Attack Vector

The attack requires an authenticated attacker with a valid refresh token. The exploitation involves:

  1. The attacker obtains a legitimate refresh token through normal authentication flows
  2. Multiple concurrent HTTP requests are sent to Keycloak's token endpoint, each presenting the same refresh token
  3. Due to the race condition, multiple requests pass the single-use validation before any request marks the token as consumed
  4. Each successful request receives a new access token and potentially a new refresh token
  5. This effectively defeats refresh token rotation, allowing the attacker to maintain multiple valid sessions

The vulnerability requires precise timing and high concurrency to exploit reliably, explaining the network attack vector with high complexity designation. For detailed technical information, see the Red Hat CVE-2026-1035 Advisory and Red Hat Bug Report #2430314.

Detection Methods for CVE-2026-1035

Indicators of Compromise

  • Multiple successful token refresh operations using the same refresh token within a short time window (milliseconds)
  • Unusual patterns of concurrent token refresh requests from the same client or IP address
  • Detection of multiple valid access tokens associated with a single refresh token lineage
  • Audit logs showing rapid, repeated token refresh requests that would normally be rejected

Detection Strategies

  • Implement log analysis rules to detect multiple successful token refresh operations with identical refresh token identifiers
  • Monitor for anomalous spikes in concurrent token endpoint requests from single sources
  • Configure alerting on token refresh patterns that deviate from normal client behavior baselines
  • Utilize SentinelOne Singularity Platform to monitor authentication service behavior and detect exploitation attempts

Monitoring Recommendations

  • Enable detailed audit logging for all token refresh operations in Keycloak
  • Correlate token refresh events with session management logs to identify inconsistencies
  • Monitor database query patterns for the token storage tables to detect race condition exploitation
  • Implement real-time alerting on authentication anomalies through SentinelOne's behavioral AI capabilities

How to Mitigate CVE-2026-1035

Immediate Actions Required

  • Review your Keycloak deployment configuration to assess exposure to this vulnerability
  • Monitor token refresh logs for signs of exploitation while awaiting patches
  • Consider implementing additional rate limiting on token refresh endpoints as a defense-in-depth measure
  • Evaluate whether strict refresh token rotation is critical for your security posture and assess risk tolerance

Patch Information

Consult the Red Hat CVE-2026-1035 Advisory for official patch information and updates from Red Hat. Monitor the Red Hat Bug Report #2430314 for ongoing remediation progress and patch availability announcements.

Organizations should subscribe to Red Hat security announcements and Keycloak project updates to receive notification when patches become available. Apply security updates promptly once released by the vendor.

Workarounds

  • Implement strict rate limiting on the token endpoint to reduce the feasibility of concurrent exploitation attempts
  • Consider deploying a reverse proxy or API gateway with request queuing to serialize token refresh requests per client
  • If refresh token rotation is not critical to your security model, consider temporarily disabling strict rotation until patches are available
  • Implement additional session monitoring and anomaly detection at the application layer
bash
# Example: Configure rate limiting in nginx for Keycloak token endpoint
# Add to your nginx server block configuration

limit_req_zone $binary_remote_addr zone=token_limit:10m rate=2r/s;

location /auth/realms/*/protocol/openid-connect/token {
    limit_req zone=token_limit burst=5 nodelay;
    proxy_pass http://keycloak_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechKeycloak
  • SeverityLOW
  • CVSS Score3.1
  • EPSS Probability0.03%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N
  • Impact Assessment
  • ConfidentialityHigh
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-367
  • Technical References
  • Red Hat CVE-2026-1035 Advisory
  • Red Hat Bug Report #2430314
  • Related CVEs
  • CVE-2026-4636: Keycloak Auth Bypass Vulnerability
  • CVE-2026-4325: Keycloak Auth Bypass Vulnerability
  • CVE-2026-3872: Keycloak Auth Bypass Vulnerability
  • CVE-2026-4628: Keycloak Auth Bypass Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English