What is GHSA-83c4-ffjp-mxp9?

GHSA-83c4-ffjp-mxp9 is a security advisory published by GitHub Security Advisories with Medium severity. A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation...

Which CVE IDs does GHSA-83c4-ffjp-mxp9 cover?

GHSA-83c4-ffjp-mxp9 covers the following CVE IDs: CVE-2026-8922. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-83c4-ffjp-mxp9?

GHSA-83c4-ffjp-mxp9 has a CVSS v3 base score of 5.4, published by GitHub Security Advisories.

GHSA-83c4-ffjp-mxp9MediumCVSS 5.4

A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation...

Vendor

GitHub Security Advisories

Published

May 19, 2026

Last Modified

May 19, 2026

🔗 CVE IDs covered (1)

CVE-2026-8922 →

📋 Description

A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.

🔗 References (4)

https://nvd.nist.gov/vuln/detail/CVE-2026-8922
https://access.redhat.com/security/cve/CVE-2026-8922
https://bugzilla.redhat.com/show_bug.cgi?id=2479586
https://github.com/advisories/GHSA-83c4-ffjp-mxp9