CVE-2026-8922
Keycloak OpenID Connect Introspection Policy Bypass
Publication date: 2026-05-19
Last updated on: 2026-05-19
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| keycloak | keycloak | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-303 | The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-8922 is a security flaw in Keycloak's OpenID Connect (OIDC) Introspection feature. When both realm-level and client-level 'notBefore' revocation policies are set, the system fails to properly enforce the realm-level policy. This means that tokens which should have been revoked at the realm level may still remain active.
As a result, tokens that are supposed to be invalidated can continue to be used, potentially allowing unauthorized access or extended session validity.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access because revoked tokens might still be accepted by the system. Users or attackers could continue to use tokens that should have been invalidated, potentially compromising the security of applications relying on Keycloak for identity and access management.
It may also result in continued session validity beyond intended limits, increasing the risk of misuse or data exposure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability in Keycloak allows revoked tokens to remain active due to improper enforcement of realm-level revocation policies. As a result, unauthorized access or continued session validity may occur.
Such unauthorized access risks can impact the security posture of systems using Keycloak for identity and access management, potentially leading to non-compliance with security requirements in standards and regulations like GDPR and HIPAA, which mandate strict access controls and protection of sensitive data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves Keycloak's OpenID Connect (OIDC) Introspection feature failing to honor realm-level notBefore revocation policies when client-level notBefore policies are also configured. Detection would involve checking the configuration of Keycloak realms and clients to see if both levels of notBefore revocation policies are set.
Additionally, monitoring token introspection responses for tokens that should have been revoked but are still accepted could help identify the issue.
However, no specific detection commands or tools are provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
The available information does not provide explicit mitigation steps or patches for this vulnerability.
As an immediate measure, reviewing and possibly avoiding the simultaneous use of both realm-level and client-level notBefore revocation policies in Keycloak configurations may reduce exposure.
Monitoring for updates or patches from Keycloak or Red Hat and applying them once available is recommended.