CVE-2026-9802 MEDIUM

CVE-2026-9802: Keycloak: keycloak: unauthorized account access via replayed refresh tokens after cluster restart

Vendor Red Hat
Product Red Hat build of Keycloak 26.6.3
Weakness CWE-613 · Insufficient session expiration
Published May 28, 2026
Last update June 10, 2026

CVSS base score

6.8/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim's account, potentially leading to information disclosure or privilege escalation.

Key dates

02Disclosure timeline

May 28, 2026 CVE published
June 10, 2026 Record updated