CVE-2026-8922
5.4 MEDIUMA flaw was found in Keycloak
Published: 2026-05-19 · Last updated: 2026-06-10
Severity and scoring
- CVSS
- 5.4 MEDIUM
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
- CWE
- CWE-303
Affected products
| Vendor | Product |
|---|---|
| redhat | build_of_keycloak |
Description
A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-1767 — A flaw was found in the GNOME localsearch (previously known as tracker-miners) MP3 Extractor `tracker-extract-mp3` component (5.6 MEDIUM)
- CVE-2026-1766 — A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor, specifically within the tracker-extract-mp3 com... (5.6 MEDIUM)
- CVE-2026-11793 — A stack buffer overflow flaw was found in 389 Directory Server (4.9 MEDIUM)
- CVE-2026-11790 — A flaw was found in 389 Directory Server (4.9 MEDIUM)
- CVE-2026-11789 — A flaw was found in 389 Directory Server (4.9 MEDIUM)
Same CWE
- CVE-2026-46389 — UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Identity dep... (10.0 CRITICAL)
- CVE-2025-53782 — Incorrect implementation of authentication algorithm in Microsoft Exchange Server allows an unauthorized attacker to elevate privileges l... (8.4 HIGH)
- CVE-2024-7593 — Incorrect implementation of an authentication algorithm in Ivanti vTM other than versions 22.2R1 or 22.7R2 allows a remote unauthenticate... (9.8 CRITICAL)