{"id":"CVE-2022-3916","details":"A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.","aliases":["GHSA-97g8-xfvw-q4hg"],"modified":"2026-04-10T04:50:17.794071Z","published":"2023-09-20T15:15:11.583Z","references":[{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2022-3916"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2022:8962"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2022:8963"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2023:1043"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2023:1044"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2023:1049"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2022:8961"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2022:8964"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2022:8965"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2023:1045"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2023:1047"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2141404"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/keycloak/keycloak","events":[{"introduced":"0"},{"fixed":"e6ece3318230d73a86ee0e6bdd7bb004fa6c264f"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"20.0.2"}]}}],"versions":["1.0-alpha-1","1.0-alpha-1-12062013","1.0-alpha-2","1.0-alpha-3","1.0-beta-1","1.0-beta-2","1.0-beta-4","1.0-final","1.0-rc-1","1.0.0.Final","1.1.0.Beta2","1.3.0.Final","2.4.0.Test"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"7.6"}]},{"events":[{"introduced":"0"},{"last_affected":"4.9"}]},{"events":[{"introduced":"0"},{"last_affected":"4.10"}]},{"events":[{"introduced":"0"},{"last_affected":"4.9"}]},{"events":[{"introduced":"0"},{"last_affected":"4.10"}]},{"events":[{"introduced":"0"},{"last_affected":"4.9"}]},{"events":[{"introduced":"0"},{"last_affected":"4.10"}]},{"events":[{"introduced":"0"},{"last_affected":"4.9"}]},{"events":[{"introduced":"0"},{"last_affected":"4.10"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-3916.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N"}]}