CVE-2024-7318

MEDIUM 4.8

Keycloak-core: one time passcode (otp) is valid longer than expiration timeseverity

CVSS Score

4.8

EPSS Score

0.0%

EPSS Percentile

0th

A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid.

CWE	CWE-324
Published	Sep 9, 2024
Last Updated	Jan 26, 2026

Stay Ahead of the Next One

Get instant alerts for

Be the first to know when new medium vulnerabilities are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Affected Versions

Red Hat / Red Hat Build of Keycloak

All versions affected

Red Hat / Red Hat build of Keycloak 24

All versions affected

Red Hat / Red Hat build of Keycloak 24

All versions affected

Red Hat / Red Hat build of Keycloak 24

All versions affected

References

NVD ↗ CVE.org ↗ EPSS Data ↗

access.redhat.com: https://access.redhat.com/errata/RHSA-2024:6502 access.redhat.com: https://access.redhat.com/errata/RHSA-2024:6503 access.redhat.com: https://access.redhat.com/security/cve/CVE-2024-7318 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2301876

Credits

This issue was discovered by Todd Cullum (Red Hat).