MEDIUM 6.8
GHSA-v5g5-wwmp-jppw
Keycloak has Insufficient Session Expiration
Details
A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim's account, potentially leading to information disclosure or privilege escalation.
Are you affected?
Enter the version of the package you're using.
Affected packages
Maven / org.keycloak:keycloak-services
Introduced in:
0 No fixed version published yet for org.keycloak:keycloak-services (maven). Pin to a known-safe version or switch to an alternative.
Maven / org.keycloak:keycloak-services
Introduced in:
26.5.0 Fixed in: 26.6.3 Fix
# pom.xml: bump <version>26.6.3</version> for org.keycloak:keycloak-services References
- https://nvd.nist.gov/vuln/detail/CVE-2026-9802 [ADVISORY]
- https://github.com/keycloak/keycloak/issues/49426 [WEB]
- https://github.com/keycloak/keycloak/pull/49542 [WEB]
- https://github.com/keycloak/keycloak/pull/49619 [WEB]
- https://github.com/keycloak/keycloak/pull/49620 [WEB]
- https://github.com/keycloak/keycloak/commit/165df48d3f0f42ede8e6082184892ca7cc703989 [WEB]
- https://github.com/keycloak/keycloak/commit/3451217e3837ce5e8bbcac2773f0ac44830b95f1 [WEB]
- https://github.com/keycloak/keycloak/commit/3fde018b98e2729a594a3ac7fc730fde31da2f07 [WEB]
- https://access.redhat.com/errata/RHSA-2026:25097 [WEB]
- https://access.redhat.com/errata/RHSA-2026:25098 [WEB]
- https://access.redhat.com/errata/RHSA-2026:30049 [WEB]
- https://access.redhat.com/errata/RHSA-2026:30050 [WEB]
- https://access.redhat.com/security/cve/CVE-2026-9802 [WEB]
- https://bugzilla.redhat.com/show_bug.cgi?id=2482467 [WEB]
- https://github.com/keycloak/keycloak [PACKAGE]