This vulnerability affects the Red Hat Build of Keycloak authentication system. When the configuration revokeRefreshToken=true is active alongside persistent session storage, a server restart resets internal timing mechanisms responsible for token revocation enforcement. Consequently, an attacker who has captured a user's refresh token prior to revocation can reuse that token post-restart, bypassing intended session expiration controls. This flaw can result in unauthorized account access with potential confidentiality and integrity impacts. The CVSS 3.1 vector is AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N, reflecting network attack vector, high attack complexity, no privileges required, user interaction required, unchanged scope, and high confidentiality and integrity impacts without availability impact. No known exploits are reported in the wild. The vendor advisory does not currently specify a patch or mitigation.

Successful exploitation allows an attacker to reuse a revoked refresh token after a server restart, granting unauthorized access to the victim's account. This can lead to information disclosure and privilege escalation within the affected system. The vulnerability does not impact availability. The medium CVSS score reflects the need for user interaction and high attack complexity, but significant confidentiality and integrity risks.

As of the current vendor advisory, no official patch or remediation has been announced. Users should monitor the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-9802 for updates. Until a fix is available, consider minimizing server restarts during active sessions or disabling revokeRefreshToken=true if feasible, understanding the security trade-offs. Avoid relying solely on token revocation for session invalidation in environments where persistent session storage and server restarts occur.