CVE-2026-8922 Overview
CVE-2026-8922 is a token revocation flaw in Keycloak, an open source identity and access management solution. When administrators configure both realm-level and client-level notBefore revocation policies, the OpenID Connect (OIDC) Introspection feature fails to honor the realm-level policy. Tokens that should have been invalidated remain active and accepted by downstream services. The defect is categorized under CWE-303: Incorrect Implementation of Authentication Algorithm and affects identity-driven authorization decisions across applications relying on Keycloak introspection responses.
Critical Impact
Revoked OIDC tokens remain valid through the introspection endpoint, allowing continued session access and potential unauthorized actions against protected resources.
Affected Products
- Keycloak (Red Hat advisory tracks affected versions)
- Red Hat build of Keycloak
- Applications and services relying on Keycloak OIDC token introspection for authorization
Discovery Timeline
- 2026-05-19 - CVE-2026-8922 published to NVD
- 2026-05-19 - Last updated in NVD database
Technical Details for CVE-2026-8922
Vulnerability Analysis
Keycloak supports revocation policies that invalidate tokens issued before a specified time using the notBefore (nbf) cutoff. Administrators can set this cutoff at the realm level, applying it to every client, or at the individual client level. The OIDC Introspection endpoint is expected to evaluate both policies and reject any token whose issuance time predates either cutoff.
The flaw causes introspection responses to ignore the realm-level notBefore value when a client-level value is also configured. The endpoint returns "active": true for tokens that the realm policy should have revoked. Resource servers calling introspection to validate tokens therefore accept credentials that an administrator believed were invalidated.
The vulnerability does not enable an attacker to forge tokens. It instead extends the usable lifetime of previously valid tokens beyond an administrative revocation event, undermining incident response actions such as mass session invalidation after a credential compromise.
Root Cause
The root cause is incorrect policy precedence logic in the introspection code path. When both realm and client notBefore values are present, the implementation evaluates only the client-level policy. This violates the documented behavior, in which the most restrictive cutoff should apply [CWE-303].
Attack Vector
Exploitation requires an authenticated actor in possession of a previously issued token. After an administrator sets a realm-level notBefore to revoke active sessions, the attacker continues presenting the old token to any resource server that validates through the OIDC Introspection endpoint. The endpoint reports the token as active, and the resource server grants access.
No verified public proof-of-concept code is published for CVE-2026-8922. Refer to the Red Hat CVE-2026-8922 Advisory and Red Hat Bug Report #2479586 for vendor technical detail.
Detection Methods for CVE-2026-8922
Indicators of Compromise
- Successful authentication or API access using tokens issued before a realm notBefore timestamp set in Keycloak admin events.
- Introspection responses returning "active": true for tokens with iat values earlier than the configured realm-level notBefore.
- User or service account activity continuing after an administrator triggered a realm-wide session revocation.
Detection Strategies
- Compare token iat claims in resource server access logs against realm notBefore values configured in Keycloak to surface tokens that should have been rejected.
- Audit Keycloak admin events for UPDATE_REALM actions that change notBefore, then correlate with subsequent introspection traffic for tokens predating the change.
- Replay sample tokens issued before a notBefore cutoff against /realms/{realm}/protocol/openid-connect/token/introspect and alert when the response is active: true.
Monitoring Recommendations
- Forward Keycloak server logs, admin event logs, and resource server authorization decisions to a centralized analytics platform for correlation.
- Track introspection endpoint response patterns over time and alert on a sustained population of tokens with iat older than the active realm notBefore.
- Monitor privileged session activity for accounts that were targeted by a recent revocation policy change.
How to Mitigate CVE-2026-8922
Immediate Actions Required
- Apply the Keycloak update referenced in the Red Hat CVE-2026-8922 Advisory as soon as it is available for your distribution.
- When revoking sessions, set the notBefore value on every affected client in addition to the realm level until patches are deployed.
- Rotate signing keys for realms where a prior revocation event may have been bypassed, forcing reissuance of all tokens.
Patch Information
Refer to the Red Hat CVE-2026-8922 Advisory and Red Hat Bug Report #2479586 for fixed package versions and errata applicable to Red Hat build of Keycloak and upstream Keycloak releases.
Workarounds
- Apply notBefore at the client level for every client in the realm whenever a realm-wide revocation is intended, removing reliance on realm-level enforcement during introspection.
- Reduce access token lifetimes in realm token settings so that any bypassed revocation has a shorter window of usable validity.
- Rotate the realm signing keys after high-impact revocation events, which invalidates all outstanding tokens regardless of the notBefore evaluation defect.
# Configuration example: force a client-level notBefore using kcadm.sh
# Replace <realm>, <client-id>, and the epoch timestamp as appropriate.
kcadm.sh update clients/<client-uuid> \
-r <realm> \
-s 'notBefore=1747641600'
# Verify the value was written
kcadm.sh get clients/<client-uuid> -r <realm> --fields id,clientId,notBefore
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
