Description
A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim's account, potentially leading to information disclosure or privilege escalation.
Published: 2026-05-28
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Keycloak exposes a flaw that permits an attacker, after a server restart, to reuse a refresh token that was previously revoked under the revokeRefreshToken setting when persistent session storage is enabled. This replay grants the attacker unauthorized access to the victim’s account, potentially resulting in information disclosure or privilege escalation. The weakness is a misuse of session validity logic, classified as CWE‑613.

Affected Systems

Red Hat Build of Keycloak. No specific version range is documented in the available data, so all installations that use the Red Hat build of Keycloak with the vulnerable configuration should be considered at risk.

Risk and Exploitability

The CVSS base score of 6.8 indicates a medium impact severity. The EPSS is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting that publicly known attacks are not yet confirmed. However, the attack scenario is remote and requires only a previously captured refresh token, making it potentially feasible if the attacker has observed traffic or stored token artifacts. The lack of an identified public exploit means the threat is still theoretical but not negligible, especially in environments where user sessions are long‑lived or refreshed across cluster restarts.

Generated by OpenCVE AI on May 28, 2026 at 07:21 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Check the Red Hat security channel for an update that addresses the replay of revoked refresh tokens.
  • If configuration allows, temporarily disable the revokeRefreshToken feature or persistent session storage until a patch is released.
  • Implement additional authentication safeguards, such as two‑factor authentication, to reduce the risk from token replay attacks.

Generated by OpenCVE AI on May 28, 2026 at 07:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 28 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Vendors & Products Redhat build Of Keycloak

Thu, 28 May 2026 06:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim's account, potentially leading to information disclosure or privilege escalation.
Title Keycloak: keycloak: unauthorized account access via replayed refresh tokens after cluster restart
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-613
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-28T13:00:32.592Z

Reserved: 2026-05-28T04:02:07.242Z

Link: CVE-2026-9802

cve-icon Vulnrichment

Updated: 2026-05-28T13:00:25.484Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-28T06:16:29.620

Modified: 2026-05-28T13:44:54.327

Link: CVE-2026-9802

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-28T04:10:26Z

Links: CVE-2026-9802 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T08:30:11Z

Weaknesses