CVE-2026-8922

Vulnerability

A flaw exists in Keycloak's OpenID Connect (OIDC) Introspection feature when both realm-level and client-level notBefore revocation policies are configured. Under this condition, the introspection endpoint incorrectly ignores the realm-level policy, meaning tokens that should be considered revoked (per the realm's notBefore timestamp) may still be accepted. This affects Keycloak deployments where administrators have set a realm-wide notBefore and also configured per-client notBefore values. [1][2]

Exploitation

An attacker who possesses a token that has been revoked at the realm level (e.g., because the realm notBefore was updated) can present that token to the OIDC introspection endpoint. If a client-level notBefore is also present, the introspection may evaluate only the client-level policy and deem the token valid. The attacker does not need special network position or authentication beyond having the revoked token. The attack can be performed remotely by simply sending the token to an introspection endpoint of an affected Keycloak instance. [1][2]

Impact

Successful exploitation allows an attacker to use a token that should have been revoked, leading to unauthorized access to resources or continued session validity. This undermines the intended access control policies and can result in data exposure or privilege escalation, depending on the permissions associated with the token. The impact is limited to scenarios where both realm-level and client-level notBefore policies are configured, but it can affect all clients in the realm. [1][2]

Mitigation

Red Hat has acknowledged this issue (CVE-2026-8922) but as of the publication date, no patch has been released in the available references. Users should monitor Red Hat security advisories for updates. As a workaround, administrators may consider avoiding the combined use of realm-level and client-level notBefore policies, or temporarily disable OIDC introspection for affected clients until a fix is applied. [1][2]