CVE-2026-8922 — Keycloak: Revoked Tokens Can Remain Active When Both Realm-Level and Client-Leve

Description

A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.

How to fix CVE-2026-8922

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2026-8922 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-8922.

Affected packages (1)

from 0, <= 26.6.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-8922
PATCHgithub.com/keycloak/keycloak
WEBaccess.redhat.com/errata/RHSA-2026:25097
WEBaccess.redhat.com/errata/RHSA-2026:25098
WEBaccess.redhat.com