Skip to main content

Keycloak EUVDEUVD-2026-32720

| CVE-2026-9802 MEDIUM
Insufficient Session Expiration (CWE-613)
2026-05-28 secalert@redhat.com GHSA-v5g5-wwmp-jppw
6.8
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
6.8 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Red Hat
6.8 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 06:30 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 50 maven packages depend on org.keycloak:keycloak-services (22 direct, 28 indirect)

Ecosystem-wide dependent count for version 26.5.0.

DescriptionCVE.org

A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim's account, potentially leading to information disclosure or privilege escalation.

AnalysisAI

Refresh token replay in Keycloak allows a remote attacker who has previously captured a user's refresh token to reuse that token after it has been revoked, bypassing session expiration controls. The vulnerability surfaces specifically when revokeRefreshToken=true is configured alongside persistent session storage, and is triggered by a server restart that resets the internal timing mechanisms responsible for enforcing token revocation. Successful exploitation can yield full account takeover, information disclosure, or privilege escalation; no public exploit identified at time of analysis and the CVE does not appear in CISA KEV.

Technical ContextAI

Keycloak is Red Hat's open-source Identity and Access Management platform implementing OAuth 2.0 and OpenID Connect. The revokeRefreshToken=true setting is designed to enforce single-use refresh tokens - each token is invalidated upon first use, preventing replay. This mechanism relies on internal server-side timing state to determine whether a presented token has already been consumed. CWE-613 (Insufficient Session Expiration) captures the root cause: when Keycloak is paired with a persistent session backend and the server process is restarted, that in-memory timing state is reset or not correctly rehydrated from the persistent store. As a result, previously revoked tokens appear unexpired and valid to the reconstituted token validation logic. The persistence backend's record of issued tokens is present, but the revocation horizon is lost, creating a window where replayed tokens pass validation. No CPE string was included in the provided intelligence, so the specific affected Keycloak version range is not confirmed from this data.

RemediationAI

No patched release version was identified in the provided intelligence data; the upstream fix version is not confirmed from the available references. Administrators should consult the Red Hat advisory (https://access.redhat.com/security/cve/CVE-2026-9802) and Bugzilla entry (https://bugzilla.redhat.com/show_bug.cgi?id=2482467) for a confirmed patch version and upgrade path. As an immediate compensating control, consider disabling persistent session storage if revokeRefreshToken=true is required - this eliminates the timing reset condition, though it forces all sessions to terminate on server restart, impacting user experience. Alternatively, if persistent storage cannot be removed, implement a post-restart operational procedure that forces global session invalidation (invalidating all outstanding refresh tokens), accepting that legitimate users must re-authenticate after each restart. Additionally, reducing refresh token lifetimes to the shortest value operationally acceptable limits the replay window. Minimizing unplanned or frequent server restarts through high-availability configurations reduces exposure frequency, though it does not eliminate the underlying flaw.

CVE-2024-8883 MEDIUM POC
6.1 Sep 19

A misconfiguration flaw was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploita

CVE-2026-3047 HIGH
8.8 Mar 05

Keycloak's SAML identity provider broker fails to enforce client disabled status during IdP-initiated SSO flows, allowin

CVE-2026-9704 HIGH
8.8 May 27

Privilege escalation in Red Hat Build of Keycloak allows low-privileged authenticated users to assume the permissions of

CVE-2026-3009 HIGH
8.1 Mar 05

Keycloak's IdentityBrokerService.performLogin endpoint fails to enforce disabled Identity Provider restrictions, allowin

CVE-2024-1132 HIGH
8.1 Apr 17

A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. Rated high severity (CVSS

CVE-2024-7885 HIGH
7.5 Aug 21

A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across

CVE-2024-10234 HIGH
7.3 Oct 22

A vulnerability was found in Wildfly, where a user may perform Cross-site scripting in the Wildfly deployment system. Ra

CVE-2026-37980 MEDIUM
6.9 Apr 14

Stored XSS in Keycloak's organization selection login page allows authenticated administrators with manage-realm or mana

CVE-2025-7784 MEDIUM
6.5 Jul 18

Privilege escalation in Keycloak's Fine-Grained Admin Permissions v2 (FGAPv2) allows administrative users with the manag

CVE-2024-4629 MEDIUM
6.5 Sep 03

A vulnerability was found in Keycloak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no

CVE-2024-7260 MEDIUM
6.1 Sep 09

An open redirect vulnerability was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely e

CVE-2025-3910 MEDIUM
5.4 Apr 29

A flaw was found in Keycloak. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentic

Vendor StatusVendor

Share

EUVD-2026-32720 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy