PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9802 Red Hat CVE debrief

A vulnerability in Keycloak allows refresh token replay after server restart when `revokeRefreshToken=true` is enabled with persistent session storage. The flaw stems from internal timing mechanisms resetting on restart, enabling attackers with previously captured refresh tokens to replay them post-revocation. This grants unauthorized account access with potential for information disclosure or privilege escalation. The attack requires network access, high attack complexity, and user interaction, with no authentication prerequisites.

Vendor
Red Hat
Product
Red Hat Build of Keycloak
CVSS
MEDIUM 6.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

Organizations operating Keycloak identity and access management infrastructure, particularly those with high-security requirements, compliance mandates for session revocation, or deployments using persistent session storage in containerized/restart-prone environments. Security teams responsible for OAuth 2.0/OpenID Connect token lifecycle management.

Technical summary

The vulnerability exists in Keycloak's session management when `revokeRefreshToken=true` is configured alongside persistent session storage. Upon server restart, internal timing state for token revocation is not properly restored from persistent storage, creating a window where previously revoked refresh tokens may be accepted. The CVSS 3.1 score of 6.8 (MEDIUM) reflects high attack complexity and required user interaction, though successful exploitation yields high impact on confidentiality and integrity. No availability impact is assessed. The flaw is classified under CWE-613 (Insufficient Session Expiration).

Defensive priority

high

Recommended defensive actions

  • Verify Keycloak deployment configuration: check if `revokeRefreshToken=true` is enabled in realm settings
  • Assess session storage implementation: determine if persistent session storage (database-backed) is in use
  • Monitor for anomalous refresh token usage patterns, particularly token reuse after server restarts
  • Apply vendor patches when available from Red Hat/Keycloak project
  • Consider implementing additional session binding mechanisms (device fingerprinting, IP correlation) as compensating controls
  • Review and reduce refresh token lifespans to minimize replay window
  • Enable comprehensive audit logging for token lifecycle events (issuance, revocation, validation)
  • Validate token revocation state against persistent store rather than in-memory caches where feasible

Evidence notes

Official CVE record published 2026-05-28. Red Hat Bugzilla tracking issue #2482467 confirms vendor acknowledgment. CVSS 3.1 vector: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N. CWE-613 (Insufficient Session Expiration) identified as primary weakness.

Official resources

2026-05-28