CVE-2026-8922

EUVD-2026-30843

19.05.2026, 08:16

A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.4 MEDIUM	NETWORK	LOW	LOW	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 1%

Common Weakness Enumeration

CWE-303 - Incorrect Implementation of Authentication Algorithm
The requirements for the software dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect.

Vulnerability Media Exposure

[GERMAN] Keycloak (OIDC): Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen
Ein entfernter, authentisierter Angreifer kann eine Schwachstelle in Keycloak ausnutzen, um Sicherheitsvorkehrungen zu umgehen.
Published: 2026-05-18T22:00:00+00:00

References

https://access.redhat.com/security/cve/CVE-2026-8922

https://bugzilla.redhat.com/show_bug.cgi?id=2479586