Flaw in Keycloak's OIDC Introspection Feature Allows Unauthorized Access
CVE-2026-8922

5.4MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Keycloak
Vendor: CVE Published:; 19 May 2026

What is CVE-2026-8922?

A flaw was identified in Keycloak that impacts the OpenID Connect (OIDC) Introspection capability. When realm-level and client-level 'notBefore' revocation policies are set, the OIDC feature improperly fails to enforce the realm-level policy. This oversight allows tokens, which should have been invalidated, to remain operational. Consequently, this can lead to unauthorized access or enable ongoing session validity, thereby compromising the security of identity and access management systems that depend on Keycloak.

References

https://access.redhat.com/security/cve/CVE-2026-8922

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2479586

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 19, 2026
Vulnerability Reserved
May 19, 2026

Credit

Red Hat would like to thank Joy Gilbert and Reynaldo Immanuel for reporting this issue.

CVE-2026-8922 Data

JSON