CVE-2026-8922

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description A flaw in the OpenID Connect (OIDC) Introspection feature occurs when both realm-level and client-level notBefore revocation policies are configured. In this scenario, the system fails to properly honor the realm-level policy, allowing tokens that should have been revoked to remain active. This can lead to unauthorized access or continued session validity.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.