Skip to main content

Red Hat Keycloak CVE-2026-8922

| EUVDEUVD-2026-30843 MEDIUM
Incorrect Implementation of Authentication Algorithm (CWE-303)
2026-05-19 redhat GHSA-83c4-ffjp-mxp9
5.4
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Red Hat
5.4 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 19, 2026 - 08:31 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 61 maven packages depend on org.keycloak:keycloak-services (28 direct, 33 indirect)

Ecosystem-wide dependent count for version 26.6.2.

DescriptionCVE.org

A flaw was found in Keycloak. When both realm-level and client-level notBefore revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.

AnalysisAI

Token revocation bypass in Red Hat Keycloak's OIDC Introspection endpoint allows low-privileged authenticated users to continue using tokens that should have been invalidated by realm-level notBefore revocation policies. When both realm-level and client-level notBefore policies are simultaneously active, the introspection endpoint incorrectly evaluates only the client-level policy, silently ignoring the realm-wide revocation. This means an administrator's deliberate, broad-scope revocation action - typically used in incident response or forced re-authentication scenarios - is rendered ineffective for any clients that also carry a client-level notBefore setting. No public exploit has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog.

Technical ContextAI

Keycloak implements the OpenID Connect (OIDC) token introspection endpoint (RFC 7662), which resource servers query to validate access tokens. Keycloak's notBefore field is a revocation primitive that marks a timestamp before which all issued tokens for a realm or client are considered invalid - a critical control for forced session invalidation. The affected product (CPE: cpe:2.3:a:red_hat:red_hat_build_of_keycloak:*:*:*:*:*:*:*:*) implements a two-level policy hierarchy: realm-level (global, administrator-controlled) and client-level (scoped per application). The root cause is classified as CWE-303: Incorrect Implementation of Authentication Algorithm, meaning the logic that evaluates token validity during introspection fails to properly compose or cascade both policy levels - the realm-level notBefore check is bypassed when a client-level policy is also present, violating the expected security hierarchy where realm policy should take precedence.

RemediationAI

The primary remediation path is to apply the vendor-released patch from Red Hat once available; monitor https://access.redhat.com/security/cve/CVE-2026-8922 for updated advisory status and a fixed build version, as no specific patched version number was confirmed in the available data at time of analysis. As an immediate compensating control, administrators should audit all realms where both a realm-level notBefore policy and one or more client-level notBefore policies are simultaneously configured - this is the precise condition that triggers the bypass. For realms requiring urgent revocation, temporarily removing the client-level notBefore configuration and relying solely on the realm-level policy should restore correct introspection behavior, though this trade-off removes client-scoped revocation granularity. Alternatively, administrators can force token invalidation by rotating client secrets for affected clients, which invalidates existing tokens through a different code path not affected by this flaw. Restricting OIDC introspection endpoint access to trusted internal resource servers via network controls reduces the exposure window but does not eliminate the underlying policy evaluation error.

CVE-2026-9800 HIGH
8.1 Jun 25

Authorization bypass in the Keycloak Policy Enforcer allows any authenticated user to circumvent all enforced access con

CVE-2026-11800 HIGH
8.1 Jun 25

Signature-verification bypass in Keycloak (and Red Hat's Keycloak-based products such as Red Hat Single Sign-On 7 and Re

CVE-2026-7504 HIGH
8.1 May 19

Open redirect in Red Hat build of Keycloak permits remote attackers to send victims to attacker-controlled hosts by abus

CVE-2026-9087 HIGH
8.1 May 20

Identity linking bypass in Red Hat build of Keycloak allows an attacker controlling a second account on the same upstrea

CVE-2026-4636 HIGH
8.1 Apr 02

Authenticated users with uma_protection role in Red Hat Keycloak can bypass User-Managed Access policy validation to gai

CVE-2026-9099 HIGH
7.7 Jun 25

Privilege escalation in Keycloak (Red Hat Build of Keycloak) lets an authenticated delegated admin with management right

CVE-2026-7307 HIGH
7.5 May 19

Denial of service in Red Hat build of Keycloak allows remote unauthenticated attackers to exhaust CPU and worker threads

CVE-2026-4634 HIGH
7.5 Apr 02

Denial of Service in Red Hat Build of Keycloak allows unauthenticated remote attackers to exhaust server resources by su

CVE-2026-7507 HIGH
7.5 May 19

Session fixation in Keycloak's login-actions endpoints allows remote attackers to hijack authenticated sessions and take

CVE-2026-4282 HIGH
7.4 Apr 02

Authorization code forgery in Red Hat Keycloak enables unauthenticated attackers to escalate privileges to admin-level a

CVE-2026-9086 HIGH
7.3 Jun 25

Stored Cross-Site Scripting in Red Hat Build of Keycloak lets an authenticated administrator with `manage-client` permis

CVE-2026-3872 HIGH
7.3 Apr 02

Open redirect in Red Hat Build of Keycloak allows authenticated attackers with control over another path on the same web

Vendor StatusVendor

Share

CVE-2026-8922 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy