GHSA-xmmm-jw76-q7vg · Severity: medium · Ecosystem: maven — Keycloaks's One Time Passcode (OTP) is valid longer than expiration timeSeverity
A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1 minute. A one time passcode that is valid longer than its expiration time increases the attack window for malicious actors to abuse the system and compromise accounts. Additionally, it increases the attack surface because at any given time, two OTPs are valid.
Conclusion & alert: CVE-2024-7318 is rated Low Risk (29.8/100): CVSS Medium severity, with low exploitation likelihood (EPSS 0.40%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.94% | 0.40% | -0.54% |
| 2 | 2026-06-10 | 1.22% | 0.94% | -0.28% |
| 3 | 2026-05-10 | — | 1.22% | — |
Full EPSS history (22 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 4.8 | 3.1 | MEDIUM |
|
2.2 | 2.5 | [email protected] |
| 4.8 | 3.1 | MEDIUM |
|
2.2 | 2.5 | [email protected] |
GHSA-xmmm-jw76-q7vg · Severity: medium · Ecosystem: maven — Keycloaks's One Time Passcode (OTP) is valid longer than expiration timeSeverity
| vendor | priority | summary | link |
|---|---|---|---|
redhat
|
low | — | https://access.redhat.com/security/cve/CVE-2024-7318 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| redhat | build_of_keycloak | >= 22.0, < 24.0.7 | cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2024:6502 | Issue Tracking |
| https://access.redhat.com/errata/RHSA-2024:6503 | Issue Tracking |
| https://access.redhat.com/security/cve/CVE-2024-7318 | Vendor Advisory |
| https://bugzilla.redhat.com/show_bug.cgi?id=2301876 | Issue Tracking Vendor Advisory |