Description
A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.
Published: 2026-05-19
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when both realm‑level and client‑level notBefore revocation policies are configured in Keycloak. The OpenID Connect (OIDC) introspection endpoint fails to honor the realm‑level policy under these conditions, allowing tokens that should have been revoked to remain valid. This flaw, classified as CWE‑303, enables an attacker to maintain unauthorized access or prolonged session validity.

Affected Systems

Red Hat Build of Keycloak is affected. Specific product names are Keycloak services; no exact version information is provided in the advisories. Operators of Red Hat Keycloak deployments should review their configuration for the presence of overlapping revocation policies.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. EPSS data is not available and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is through the OIDC introspection endpoint, which may be accessed by clients or attackers who can query token states. If an attacker can invoke introspection or otherwise learn token status, they can effectively bypass revocation, leading to continued access. In the absence of a vendor patch, the risk remains moderate until an update or configuration change mitigates the issue.

Generated by OpenCVE AI on May 19, 2026 at 08:51 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Disable or remove one of the overlapping notBefore revocation policies so that only a realm‑level or client‑level policy is active, thereby ensuring consistent revocation enforcement.
  • Restrict access to the OIDC introspection endpoint to trusted clients only, and review configuration to enforce revocation checking consistently.
  • Apply the official Red Hat workaround. Note that currently no viable temporary option meets product security criteria.
  • Upgrade to the latest Keycloak release that contains a fix for this flaw, or monitor Red Hat advisories for an upcoming patch and apply it as soon as it becomes available.

Generated by OpenCVE AI on May 19, 2026 at 08:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 19 May 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Vendors & Products Redhat build Of Keycloak

Tue, 19 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.
Title Org.keycloak/keycloak-services: keycloak: org.keycloak.protocol.oidc: security flaw in org.keycloak/keycloak-services
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-303
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-19T13:41:56.816Z

Reserved: 2026-05-19T06:07:42.943Z

Link: CVE-2026-8922

cve-icon Vulnrichment

Updated: 2026-05-19T12:53:19.852Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-19T08:16:18.343

Modified: 2026-05-19T14:25:40.320

Link: CVE-2026-8922

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-19T06:22:56Z

Links: CVE-2026-8922 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T10:00:02Z

Weaknesses