CVE-2026-8922
Analyzed Analyzed - Analysis Complete
Keycloak OpenID Connect Introspection Policy Bypass

Publication date: 2026-05-19

Last updated on: 2026-06-03

Assigner: Red Hat, Inc.

Description
A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-06-03
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-8922
EUVD
EUVD-2026-30843
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat build_of_keycloak *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-303 The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-8922 is a security flaw in Keycloak's OpenID Connect (OIDC) Introspection feature. When both realm-level and client-level 'notBefore' revocation policies are set, the system fails to properly enforce the realm-level policy. This means that tokens which should have been revoked at the realm level may still remain active.

As a result, tokens that are supposed to be invalidated can continue to be used, potentially allowing unauthorized access or extended session validity.

Impact Analysis

This vulnerability can lead to unauthorized access because revoked tokens might still be accepted by the system. Users or attackers could continue to use tokens that should have been invalidated, potentially compromising the security of applications relying on Keycloak for identity and access management.

It may also result in continued session validity beyond intended limits, increasing the risk of misuse or data exposure.

Compliance Impact

This vulnerability in Keycloak allows revoked tokens to remain active due to improper enforcement of realm-level revocation policies. As a result, unauthorized access or continued session validity may occur.

Such unauthorized access risks can impact the security posture of systems using Keycloak for identity and access management, potentially leading to non-compliance with security requirements in standards and regulations like GDPR and HIPAA, which mandate strict access controls and protection of sensitive data.

Detection Guidance

This vulnerability involves Keycloak's OpenID Connect (OIDC) Introspection feature failing to honor realm-level notBefore revocation policies when client-level notBefore policies are also configured. Detection would involve checking the configuration of Keycloak realms and clients to see if both levels of notBefore revocation policies are set.

Additionally, monitoring token introspection responses for tokens that should have been revoked but are still accepted could help identify the issue.

However, no specific detection commands or tools are provided in the available information.

Mitigation Strategies

The available information does not provide explicit mitigation steps or patches for this vulnerability.

As an immediate measure, reviewing and possibly avoiding the simultaneous use of both realm-level and client-level notBefore revocation policies in Keycloak configurations may reduce exposure.

Monitoring for updates or patches from Keycloak or Red Hat and applying them once available is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8922. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart