Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 61 maven packages depend on org.keycloak:keycloak-services (28 direct, 33 indirect)
Ecosystem-wide dependent count for version 26.6.2.
DescriptionCVE.org
A flaw was found in Keycloak. When both realm-level and client-level notBefore revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.
AnalysisAI
Token revocation bypass in Red Hat Keycloak's OIDC Introspection endpoint allows low-privileged authenticated users to continue using tokens that should have been invalidated by realm-level notBefore revocation policies. When both realm-level and client-level notBefore policies are simultaneously active, the introspection endpoint incorrectly evaluates only the client-level policy, silently ignoring the realm-wide revocation. This means an administrator's deliberate, broad-scope revocation action - typically used in incident response or forced re-authentication scenarios - is rendered ineffective for any clients that also carry a client-level notBefore setting. No public exploit has been identified at time of analysis, and the issue is not listed in the CISA KEV catalog.
Technical ContextAI
Keycloak implements the OpenID Connect (OIDC) token introspection endpoint (RFC 7662), which resource servers query to validate access tokens. Keycloak's notBefore field is a revocation primitive that marks a timestamp before which all issued tokens for a realm or client are considered invalid - a critical control for forced session invalidation. The affected product (CPE: cpe:2.3:a:red_hat:red_hat_build_of_keycloak:*:*:*:*:*:*:*:*) implements a two-level policy hierarchy: realm-level (global, administrator-controlled) and client-level (scoped per application). The root cause is classified as CWE-303: Incorrect Implementation of Authentication Algorithm, meaning the logic that evaluates token validity during introspection fails to properly compose or cascade both policy levels - the realm-level notBefore check is bypassed when a client-level policy is also present, violating the expected security hierarchy where realm policy should take precedence.
RemediationAI
The primary remediation path is to apply the vendor-released patch from Red Hat once available; monitor https://access.redhat.com/security/cve/CVE-2026-8922 for updated advisory status and a fixed build version, as no specific patched version number was confirmed in the available data at time of analysis. As an immediate compensating control, administrators should audit all realms where both a realm-level notBefore policy and one or more client-level notBefore policies are simultaneously configured - this is the precise condition that triggers the bypass. For realms requiring urgent revocation, temporarily removing the client-level notBefore configuration and relying solely on the realm-level policy should restore correct introspection behavior, though this trade-off removes client-scoped revocation granularity. Alternatively, administrators can force token invalidation by rotating client secrets for affected clients, which invalidates existing tokens through a different code path not affected by this flaw. Restricting OIDC introspection endpoint access to trusted internal resource servers via network controls reduces the exposure window but does not eliminate the underlying policy evaluation error.
More in Red Hat Build Of Keycloak
View allAuthorization bypass in the Keycloak Policy Enforcer allows any authenticated user to circumvent all enforced access con
Signature-verification bypass in Keycloak (and Red Hat's Keycloak-based products such as Red Hat Single Sign-On 7 and Re
Open redirect in Red Hat build of Keycloak permits remote attackers to send victims to attacker-controlled hosts by abus
Identity linking bypass in Red Hat build of Keycloak allows an attacker controlling a second account on the same upstrea
Authenticated users with uma_protection role in Red Hat Keycloak can bypass User-Managed Access policy validation to gai
Privilege escalation in Keycloak (Red Hat Build of Keycloak) lets an authenticated delegated admin with management right
Denial of service in Red Hat build of Keycloak allows remote unauthenticated attackers to exhaust CPU and worker threads
Denial of Service in Red Hat Build of Keycloak allows unauthenticated remote attackers to exhaust server resources by su
Session fixation in Keycloak's login-actions endpoints allows remote attackers to hijack authenticated sessions and take
Authorization code forgery in Red Hat Keycloak enables unauthenticated attackers to escalate privileges to admin-level a
Stored Cross-Site Scripting in Red Hat Build of Keycloak lets an authenticated administrator with `manage-client` permis
Open redirect in Red Hat Build of Keycloak allows authenticated attackers with control over another path on the same web
Same technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30843
GHSA-83c4-ffjp-mxp9