CVE-2026-8922

Modified Modified - Updated After Analysis

Keycloak OpenID Connect Introspection Policy Bypass

Publication date: 2026-05-19

Last updated on: 2026-06-26

Assigner: Red Hat, Inc.

Description

A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-05-19

Last Modified

2026-06-26

Generated

2026-06-30

AI Q&A

2026-05-19

EPSS Evaluated

2026-06-28

NVD

CVE-2026-8922

EUVD

EUVD-2026-30843

Affected Vendors & Products

Vendor	Product	Version / Range
redhat	build_of_keycloak	*

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-303	The requirements for the product dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.

Attack-Flow Graph

Executive Summary

CVE-2026-8922 is a security flaw in Keycloak's OpenID Connect (OIDC) Introspection feature. When both realm-level and client-level 'notBefore' revocation policies are set, the system fails to properly enforce the realm-level policy. This means that tokens which should have been revoked at the realm level may still remain active.

As a result, tokens that are supposed to be invalidated can continue to be used, potentially allowing unauthorized access or extended session validity.

Impact Analysis

This vulnerability can lead to unauthorized access because revoked tokens might still be accepted by the system. Users or attackers could continue to use tokens that should have been invalidated, potentially compromising the security of applications relying on Keycloak for identity and access management.

It may also result in continued session validity beyond intended limits, increasing the risk of misuse or data exposure.

Compliance Impact

This vulnerability in Keycloak allows revoked tokens to remain active due to improper enforcement of realm-level revocation policies. As a result, unauthorized access or continued session validity may occur.

Such unauthorized access risks can impact the security posture of systems using Keycloak for identity and access management, potentially leading to non-compliance with security requirements in standards and regulations like GDPR and HIPAA, which mandate strict access controls and protection of sensitive data.

Detection Guidance

This vulnerability involves Keycloak's OpenID Connect (OIDC) Introspection feature failing to honor realm-level notBefore revocation policies when client-level notBefore policies are also configured. Detection would involve checking the configuration of Keycloak realms and clients to see if both levels of notBefore revocation policies are set.

Additionally, monitoring token introspection responses for tokens that should have been revoked but are still accepted could help identify the issue.

However, no specific detection commands or tools are provided in the available information.

Mitigation Strategies

The available information does not provide explicit mitigation steps or patches for this vulnerability.

As an immediate measure, reviewing and possibly avoiding the simultaneous use of both realm-level and client-level notBefore revocation policies in Keycloak configurations may reduce exposure.

Monitoring for updates or patches from Keycloak or Red Hat and applying them once available is recommended.

Hi! I’m here to help you understand CVE-2026-8922. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70