Race condition in the Okta Java SDK
Description
Okta Java Management SDK facilitates interactions with the Okta management API. In versions 11.0.0 through 20.0.0, race conditions may arise from concurrent requests using the ApiClient class. This could cause a status code or response header from one request’s response to influence another request’s response. This issue is fixed in version 20.0.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A race condition in Okta Java SDK's ApiClient (v11.0.0–20.0.0) can let concurrent requests cross-communicate, potentially corrupting authorization checks.
Vulnerability
The Okta Java Management SDK versions 11.0.0 through 20.0.0 contain a race condition in the ApiClient.invokeApi() method. When multiple threads call this method concurrently, unsynchronized access to shared request/response state can cause the status code or response headers from one thread's HTTP response to leak into the context of another thread's ongoing request. [1][2]
Exploitation
An attacker does not directly trigger the race; instead, exploitation requires the vulnerable SDK to be deployed in a multithreaded application where different threads handle API calls that the application relies on for access control decisions. Under the right timing conditions, a thread that performs a privileged operation may unintentionally see the HTTP response (e.g., a 403 status) intended for a different, less privileged request, or vice versa. The application must actively inspect the response status or headers to enforce authentication or authorization logic. [1][3]
Impact
If the application uses the HTTP status code or a header from the ApiClient response to make authorization decisions, the race condition could cause a thread to act on stale or mismatched result data. This might lead to inappropriate granting or denial of access. The maximum severity depends on the sensitivity of the operations protected by such checks, but the SDK itself does not define the policy—it only provides the transport. [3]
Mitigation
The issue is fixed in version 20.0.1 (and later, e.g., 21.0.0+). The fix adds the synchronized keyword to invokeApi(), ensuring that only one thread executes the method at a time, thus eliminating the data race. Users are advised to upgrade as soon as possible, especially if their applications use the SDK in a multithreaded context for access-control-related flows. [2][3]
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.okta.sdk:okta-sdk-rootMaven | >= 11.0.0, < 20.0.1 | 20.0.1 |
Affected products
2- Range: >=11.0.0, <=20.0.0
Patches
1abf4f128a044Fix race condition in ApiClient::invokeApi() (#1580)
1 file changed · +1 −1
api/src/main/resources/custom_templates/ApiClient.mustache+1 −1 modified@@ -1087,7 +1087,7 @@ protected List<ServerConfiguration> servers = new ArrayList<ServerConfiguration> * @return The response body in type of string * @throws ApiException API exception */ - public <T> T invokeAPI( + public synchronized <T> T invokeAPI( String path, String method, List<Pair> queryParams,
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/advisories/GHSA-j5gq-897m-2rffghsaADVISORY
- github.com/okta/okta-sdk-java/commit/abf4f128a0441f90cb7efcdcf4bde1aef8703243ghsax_refsource_MISCWEB
- github.com/okta/okta-sdk-java/security/advisories/GHSA-j5gq-897m-2rffghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.