Keycloak OIDC Introspection ignores realm-level notBefore revocation
CVE-2026-8922 Published on May 19, 2026
Org.keycloak/keycloak-services: keycloak: org.keycloak.protocol.oidc: security flaw in org.keycloak/keycloak-services
A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.
Vulnerability Analysis
CVE-2026-8922 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Timeline
Reported to Red Hat.
Made public. 1 day later.
Weakness Type
Incorrect Implementation of Authentication Algorithm
The requirements for the software dictate the use of an established authentication algorithm, but the implementation of the algorithm is incorrect. This incorrect implementation may allow authentication to be bypassed.
Products Associated with CVE-2026-8922
Want to know whenever a new CVE is published for Red Hat Build Keycloak? stack.watch will email you.
Affected Versions
Red Hat build of Keycloak 26.6:- Version 26.6.3-3 and below * is unaffected.
- Version 26.6-6 and below * is unaffected.
- Version 26.6-6 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.