Home

Description

A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.

PUBLISHED Reserved 2026-05-19 | Published 2026-05-19 | Updated 2026-05-19 | Assigner redhat




MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Problem types

Incorrect Implementation of Authentication Algorithm

Product status

Default status
affected

Timeline

2026-05-18:Reported to Red Hat.
2026-05-19:Made public.

Credits

Red Hat would like to thank Joy Gilbert and Reynaldo Immanuel for reporting this issue.

References

access.redhat.com/security/cve/CVE-2026-8922 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2479586 (RHBZ#2479586) issue-tracking

cve.org (CVE-2026-8922)

nvd.nist.gov (CVE-2026-8922)

Download JSON