VYPR
← All advisories
Medium severity6.8NVD Advisory· Published May 28, 2026

CVE-2026-9802

CVE-2026-9802

Description

A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim's account, potentially leading to information disclosure or privilege escalation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Keycloak flaw allows replayed revoked refresh tokens after server restart when revokeRefreshToken=true and persistent session storage is used.

Vulnerability

A flaw was found in Keycloak, where the server restart can reset internal timing mechanisms when revokeRefreshToken=true is enabled and persistent session storage is in use. This affects versions using persistent session storage and the revoke refresh token feature. The exact affected versions are not detailed in the available references [1][2].

Exploitation

A remote attacker who has previously captured a user's refresh token can replay that token after a server restart, even if the token was revoked before the restart. The attacker does not need any special network position beyond being able to send the captured token. No user interaction is required for the replay [1][2].

Impact

Successful exploitation grants the attacker unauthorized access to the victim's account, potentially leading to information disclosure or privilege escalation. The impact aligns with the CVSS 6.8 (Medium) severity, indicating a significant but not critical risk [1][2].

Mitigation

Not yet disclosed in the available references. The references do not provide a fix version, workaround, or EOL status. Users should monitor Red Hat and Keycloak advisories for updates [1][2].

References
  1. cve-details
  2. Unauthorized account access via replayed refresh tokens after cluster restart

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

2

News mentions

0

No linked articles in our index yet.