logo

Database

Security controls bypass or absence In org.keycloak:keycloak-services

Description

Keycloak: Revoked Tokens Can Remain Active When Both Realm-Level and Client-Level notBefore Revocation Policies are Configured A flaw was found in Keycloak. When both realm-level and client-level notBefore revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-89222. NVD-2026-89223. OSV-2026-89224. GCVE-2026-89225. ACCESS-CVE-2026-8922

References

1. https://github.com/keycloak/keycloak/issues/491182. https://github.com/keycloak/keycloak/pull/491293. https://github.com/keycloak/keycloak/commit/b6cd645683f469724cd588fac415fe09bd20a27a4. https://github.com/keycloak/keycloak/commit/c5bda802e98b412e42fa62ff6240669e9ea4a8585. https://bugzilla.redhat.com/show_bug.cgi?id=2479586

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.