What is the CVSS score of CVE-2026-8922?

CVE-2026-8922 has a CVSS 3.1 base score of 5.4 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Red Hat Keycloak CVE-2026-8922

EUVD-2026-30843 MEDIUM

Incorrect Implementation of Authentication Algorithm (CWE-303)

2026-05-19 redhat

GHSA-83c4-ffjp-mxp9

Authentication Bypass Red Hat

5.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Analysis Generated

May 19, 2026 - 08:31 vuln.today

DescriptionNVD

A flaw was found in Keycloak. When both realm-level and client-level notBefore revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.

AnalysisAI

Token revocation bypass in Red Hat Keycloak's OIDC Introspection endpoint allows low-privileged authenticated users to continue using tokens that should have been invalidated by realm-level notBefore revocation policies. When both realm-level and client-level notBefore policies are simultaneously active, the introspection endpoint incorrectly evaluates only the client-level policy, silently ignoring the realm-wide revocation. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory