Keycloak OpenID Connect Introspection Revocation Policy Bypass Vulnerability

Vulnerability

A vulnerability exists in Keycloak's OpenID Connect (OIDC) Introspection feature. When both realm-level and client-level 'notBefore' revocation policies are set, the introspection feature does not properly respect the realm-level policy. This oversight allows revoked tokens to remain active, potentially leading to unauthorized access or continued session validity. This issue affects systems using Keycloak for identity and access management.

Impact

This vulnerability allows revoked OIDC tokens to remain active, creating a temporary bypass of security controls and potentially leading to unauthorized access or extended session validity.

Added: May 19, 2026, 8:27 AM

Updated: May 19, 2026, 8:27 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.3

exploitability

5.4

remediation

0.0

relevance

8.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.3

exploitability

5.4

remediation

0.0

relevance

8.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Keycloak OpenID Connect Introspection Revocation Policy Bypass Vulnerability

Vulnerability

Impact

Affected Products

Keycloak

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating