CVE-2026-9802
MEDIUMKeycloak: keycloak: unauthorized account access via replayed refresh tokens after cluster restart
Title source: cnaDescription
A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim's account, potentially leading to information disclosure or privilege escalation.
References (4)
Core 4
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
RHSA-2026:25097
https://access.redhat.com/errata/RHSA-2026:25097
Vendor Advisory vendor-advisory
x_refsource_redhat
RHSA-2026:25098
https://access.redhat.com/errata/RHSA-2026:25098
Vdb Entry, X_Refsource_Redhat vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2026-9802
Issue Tracking, X_Refsource_Redhat issue-tracking
x_refsource_redhat
RHBZ#2482467
https://bugzilla.redhat.com/show_bug.cgi?id=2482467
Scores
CVSS v3
6.8
EPSS
0.0028
EPSS Percentile
19.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-613
Status
published
Products (5)
Red Hat/Red Hat Build of Keycloak
Red Hat/Red Hat build of Keycloak 26.6
26.6-6
Red Hat/Red Hat build of Keycloak 26.6
26.6.3-3
Red Hat/Red Hat build of Keycloak 26.6.3
redhat/build_of_keycloak
Published
May 28, 2026
Tracked Since
May 28, 2026