Medium severity5.4NVD Advisory· Published May 19, 2026· Updated Jun 10, 2026
CVE-2026-8922
CVE-2026-8922
Description
A flaw was found in Keycloak. When both realm-level and client-level notBefore revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-servicesMaven | <= 26.6.2 | — |
Affected products
3- cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:-:*:*:*
Patches
Vulnerability mechanics
References
10- access.redhat.com/security/cve/CVE-2026-8922nvdVendor AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingVendor AdvisoryWEB
- github.com/advisories/GHSA-83c4-ffjp-mxp9ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-8922ghsaADVISORY
- access.redhat.com/errata/RHSA-2026:25097nvdWEB
- access.redhat.com/errata/RHSA-2026:25098nvdWEB
- github.com/keycloak/keycloak/commit/b6cd645683f469724cd588fac415fe09bd20a27aghsaWEB
- github.com/keycloak/keycloak/commit/c5bda802e98b412e42fa62ff6240669e9ea4a858ghsaWEB
- github.com/keycloak/keycloak/issues/49118ghsaWEB
- github.com/keycloak/keycloak/pull/49129ghsaWEB
News mentions
0No linked articles in our index yet.