CVE-2026-9802: Keycloak Refresh Token Replay After Revocation
Keycloak contains a vulnerability where refresh tokens can be replayed after revocation under specific conditions. When token revocation is enabled alongside persistent session storage, a server restart can cause the system to lose track of timing information, allowing an attacker who previously captured a user's refresh token to reuse it for unauthorized account access. This is a medium-severity flaw that requires network access and user interaction to exploit.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.8 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-613
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-26
NVD description (verbatim)
A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim's account, potentially leading to information disclosure or privilege escalation.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-9802 involves a flaw in Keycloak's token revocation mechanism (CWE-613: Insufficient Session Expiration). The vulnerability exists when revokeRefreshToken=true is configured with persistent session storage enabled. Upon server restart, internal timing mechanisms are reset, causing the revocation state to become unsynchronized. An attacker in possession of a previously-captured refresh token can exploit this desynchronization to replay the token and bypass authentication controls, even though it should have been invalidated. The vulnerability requires network-level access, high attack complexity (specific configuration and restart conditions), and relies on user interaction in the attack chain.
Business impact
Successful exploitation allows unauthorized account takeover, potentially exposing sensitive user data and enabling privilege escalation within integrated systems. In environments where Keycloak manages access to multiple applications or sensitive resources, a compromised token could provide lateral movement opportunities. The impact is heightened in organizations using Keycloak for identity federation or managing high-privilege accounts. However, the medium severity reflects that specific configuration and operational conditions must align for the flaw to be exploitable.
Affected systems
Red Hat Build of Keycloak is affected by this vulnerability. Organizations running Keycloak with both revokeRefreshToken=true enabled and persistent session storage configured are at risk. This particularly impacts deployments using Keycloak as a centralized identity provider for multiple applications or in hybrid cloud environments where service restarts are routine operational activities.
Exploitability
The attack requires three preconditions: (1) the attacker must have previously obtained a valid refresh token (likely through credential compromise or token theft), (2) the target environment must have both token revocation and persistent session storage enabled, and (3) a server restart must occur after revocation but before token expiry. The attack is triggered when the attacker attempts to refresh an access token using the captured refresh token. While not trivially exploitable, the conditions are realistic in production environments, particularly those with frequent deployment cycles or high-availability architectures requiring rolling restarts.
Remediation
Apply the vendor patch when available. As an interim measure, organizations should review their Keycloak configuration and consider disabling persistent session storage if operationally feasible, or implement additional controls to prevent refresh token capture (such as token rotation policies, secure token storage, and network-level access controls). Monitor for suspicious token refresh patterns, particularly around system restart windows.
Patch guidance
Verify the Red Hat security advisory for Keycloak to identify the patched version applicable to your deployment. Apply patches according to your change management process, prioritizing systems where Keycloak manages authentication for sensitive applications. Test token revocation behavior after patching to confirm that revoked tokens are properly rejected across server restarts.
Detection guidance
Monitor Keycloak authentication logs for refresh token reuse patterns, particularly for tokens that should have been revoked. Alert on multiple failed or successful token refresh attempts using identical token values, especially clustered around server restart events. Implement audit logging for token revocation events and correlate them with subsequent token usage. Review session storage integrity and synchronization across clustered Keycloak instances.
Why prioritize this
While the CVSS score of 6.8 (MEDIUM) reflects attack complexity requirements, the vulnerability carries business risk due to its impact on account confidentiality and integrity. Organizations should prioritize patching based on Keycloak's role in their identity infrastructure—higher priority for deployments serving multiple applications or managing privileged access. The vulnerability is not yet in the Known Exploited Vulnerabilities catalog, providing a window for proactive remediation.
Risk score, explained
The CVSS:3.1 score of 6.8 reflects: network-accessible attack surface (AV:N), high attack complexity due to configuration and operational preconditions (AC:H), no privilege requirement (PR:N), user interaction needed (UI:R), and impacts to confidentiality and integrity of victim accounts (C:H/I:H) but not availability (A:N). The medium severity appropriately accounts for the specific configuration requirements and operational conditions necessary to trigger the flaw.
Frequently asked questions
Does this vulnerability affect all Keycloak deployments?
No. The vulnerability requires both revokeRefreshToken=true to be enabled and persistent session storage to be configured. Deployments using in-memory session storage or those with token revocation disabled are not vulnerable. Review your Keycloak configuration to determine if you are running an at-risk setup.
What happens during a server restart that enables this attack?
When the Keycloak server restarts, internal timing and state information used to track revoked tokens is reset. If persistent session storage is enabled, the revocation records may not be immediately reconstructed, creating a window where an attacker can replay a revoked token before the system re-synchronizes its state.
How can I detect if someone has exploited this vulnerability in my environment?
Look for refresh token reuse patterns in your Keycloak logs, particularly for the same token being used multiple times or being used after a known revocation event. Correlate token refresh attempts with server restart times. Implement detailed audit logging for all token operations if not already in place.
Is there a temporary workaround if I cannot patch immediately?
Consider disabling persistent session storage if your architecture allows it, or implement external controls such as refresh token rotation policies and network-level access restrictions to Keycloak's token endpoints. However, patching remains the recommended long-term remediation.
This analysis is provided for informational purposes. While based on available vulnerability data, specific patch versions, vendor advisories, and organizational risk assessments should be verified independently. Organizations should validate compatibility and test patches in non-production environments before deployment. SEC.co does not warrant the accuracy of third-party vendor information or guarantee the completeness of remediation guidance for all deployment scenarios. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-48726MEDIUMApache Airflow JWT Token Revocation Bypass in FAB and Keycloak Logout
- CVE-2026-44648HIGHSillyTavern Session Expiration Vulnerability – Account Takeover Risk
- CVE-2026-10533MEDIUMOpenShift ResourceQuota Bypass Leads to API Server DoS
- CVE-2026-9791MEDIUMKeycloak Organization Metadata Disclosure in OIDC Tokens
- CVE-2026-9792MEDIUMKeycloak Client Policies ROPC Grant Bypass
- CVE-2026-9793MEDIUMKeycloak JWE Signature Bypass in OIDC Request Objects
- CVE-2026-9794MEDIUMKeycloak SAML ECP Information Disclosure Vulnerability
- CVE-2026-9796MEDIUMKeycloak TOCTOU Privilege Escalation—Persistent Realm-Admin Access