CVE-2024-7318 MEDIUM

CVE-2024-7318: Keycloak-core: one time passcode (otp) is valid longer than expiration timeseverity

Vendor Red Hat
Product Red Hat Build of Keycloak
Weakness CWE-324
Published September 9, 2024
Last update January 26, 2026

CVSS base score

4.8/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid.

Key dates

02Disclosure timeline

September 9, 2024 CVE published
January 26, 2026 Record updated