Keycloak-core: one time passcode (otp) is valid longer than expiration timeseverity
Description
A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Keycloak, FreeOTP codes remain valid for up to 1 minute instead of the intended 30 seconds, expanding the attack window by allowing reuse of expired OTPs.
Vulnerability
Description
A vulnerability was found in Keycloak's FreeOTP implementation, where one-time passcode (OTP) codes remain usable beyond their intended expiration period. When the OTP token period is set to the default of 30 seconds, expired codes are still accepted for an additional 30 seconds, effectively doubling the validity window to 1 minute [1][2]. This means at any given time, two OTP values are considered valid instead of one.
Exploitation
Context
This flaw can be exploited by an attacker who has obtained an OTP code, either through interception, phishing, or another means, within the extended validity period. The longer window for a valid OTP increases the likelihood that a captured code can be reused before it expires, especially in scenarios where an adversary has access to a previously observed token [2]. The attack does not require authentication or special network position beyond having possession of an OTP value.
Impact
Successful exploitation allows an attacker to authenticate as the targeted user using an OTP that should have expired. This weakens the security benefits of multi-factor authentication by prolonging the time an OTP is valid, thereby increasing the risk of account compromise [1][2]. The vulnerability is rated as moderate severity.
Mitigation
Red Hat released an advisory (RHSA-2024:6502) on September 9, 2024, updating Keycloak to version 24.0.7, which includes a fix for this issue [3]. Users are advised to update to the latest version. The open-source Keycloak project is available on GitHub, and users of community builds should apply the patch accordingly [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-coreMaven | < 24.0.7 | 24.0.7 |
org.keycloak:keycloak-coreMaven | >= 25.0.0, < 25.0.4 | 25.0.4 |
Affected products
10- Range: >= 25.0.0, < 25.0.4
- osv-coords9 versionspkg:apk/chainguard/keycloak-config-clipkg:apk/chainguard/keycloak-config-cli-bitnami-compatpkg:apk/chainguard/keycloak-config-cli-compatpkg:apk/chainguard/keycloak-config-cli-iamguarded-compatpkg:apk/wolfi/keycloak-config-clipkg:apk/wolfi/keycloak-config-cli-bitnami-compatpkg:apk/wolfi/keycloak-config-cli-compatpkg:apk/wolfi/keycloak-config-cli-iamguarded-compatpkg:maven/org.keycloak/keycloak-core
< 6.4.0-r1+ 8 more
- (no CPE)range: < 6.4.0-r1
- (no CPE)range: < 6.4.0-r1
- (no CPE)range: < 6.4.0-r1
- (no CPE)range: < 6.4.0-r1
- (no CPE)range: < 6.4.0-r1
- (no CPE)range: < 6.4.0-r1
- (no CPE)range: < 6.4.0-r1
- (no CPE)range: < 6.4.0-r1
- (no CPE)range: < 24.0.7
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- access.redhat.com/errata/RHSA-2024:6502ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2024:6503ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-xmmm-jw76-q7vgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-7318ghsaADVISORY
- access.redhat.com/security/cve/CVE-2024-7318ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/keycloak/keycloak/security/advisories/GHSA-xmmm-jw76-q7vgghsaWEB
News mentions
0No linked articles in our index yet.