PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8922 Red Hat CVE debrief

A flaw in Keycloak's OpenID Connect (OIDC) Introspection feature causes the realm-level `notBefore` revocation policy to be improperly honored when a client-level `notBefore` policy is also configured. This allows tokens that should have been revoked to remain active, potentially enabling unauthorized access or continued session validity. The vulnerability affects systems using Keycloak for identity and access management. The issue was published on 2026-05-19 and is currently awaiting analysis in the NVD.

Vendor
Red Hat
Product
Red Hat Build of Keycloak
CVSS
MEDIUM 5.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-19
Original CVE updated
2026-05-19
Advisory published
2026-05-19
Advisory updated
2026-05-19

Who should care

Organizations using Keycloak as an identity provider for OIDC/OAuth2 authentication, particularly those relying on `notBefore` revocation policies for security incident response or credential compromise recovery. Security teams responsible for token lifecycle management and access control policy enforcement.

Technical summary

The vulnerability exists in Keycloak's implementation of RFC 7662 OAuth 2.0 Token Introspection. When processing token introspection requests, the system evaluates revocation timestamps (`notBefore`) to determine if a token should be considered active. The flaw occurs when both realm-level and client-level `notBefore` policies are configured—the realm-level policy is not properly enforced, causing the introspection endpoint to incorrectly return 'active': true for tokens that should be revoked based on the realm-level timestamp. This represents an authentication bypass condition where revoked credentials may continue to be accepted by relying parties.

Defensive priority

medium

Recommended defensive actions

  • Review Keycloak realm and client configurations for `notBefore` revocation policy settings
  • Audit active tokens and sessions for potential unauthorized access following policy misconfigurations
  • Apply vendor-provided patches when available from Red Hat
  • Monitor OIDC introspection endpoint behavior for proper token rejection
  • Consider implementing additional token validation layers as compensating controls

Evidence notes

The vulnerability description indicates that Keycloak's OIDC Introspection endpoint fails to properly evaluate the realm-level `notBefore` timestamp when a client-level `notBefore` value is present. This suggests a logic error in the token validation code path where client-level settings may override or mask realm-level revocation policies. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N) indicates network-accessible attack vector with low attack complexity, requiring low privileges, with impacts to confidentiality and integrity but no availability impact. The weakness is classified as CWE-303 (Incorrect Implementation of Authentication Algorithm).

Official resources

2026-05-19