Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-9088 (GCVE-0-2026-9088)
Vulnerability from cvelistv5 – Published: 2026-06-05 07:52 – Updated: 2026-06-10 21:29
VLAI
EPSS
Title
Keycloak: keycloak: information disclosure due to user profile permission bypass
Summary
A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-1220 - Insufficient Granularity of Access Control
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2026:25097 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:25098 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/security/cve/CVE-2026-9088 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2480179 | issue-trackingx_refsource_REDHAT |
Impacted products
3 products
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat build of Keycloak 26.6 |
Unaffected:
26.6.3-3 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.6::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.6 |
Unaffected:
26.6-6 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.6::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.6.3 |
cpe:/a:redhat:build_keycloak:26.6::el9 |
Date Public
2026-06-05 07:45
Credits
Red Hat would like to thank Hadley So for reporting this issue.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9088",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-05T13:10:30.927804Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T13:10:40.187Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.6::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-operator-bundle",
"product": "Red Hat build of Keycloak 26.6",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.6.3-3",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.6::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.6",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.6-6",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.6::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9-operator",
"product": "Red Hat build of Keycloak 26.6",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.6-6",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.6::el9"
],
"defaultStatus": "unaffected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.6.3",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Hadley So for reporting this issue."
}
],
"datePublic": "2026-06-05T07:45:40.116Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Low"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1220",
"description": "Insufficient Granularity of Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-10T21:29:23.204Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2026:25097",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25097"
},
{
"name": "RHSA-2026:25098",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:25098"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-9088"
},
{
"name": "RHBZ#2480179",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480179"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-20T15:01:25.568Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-05T07:45:40.116Z",
"value": "Made public."
}
],
"title": "Keycloak: keycloak: information disclosure due to user profile permission bypass",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-1220: Insufficient Granularity of Access Control"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-9088",
"datePublished": "2026-06-05T07:52:52.858Z",
"dateReserved": "2026-05-20T15:01:48.645Z",
"dateUpdated": "2026-06-10T21:29:23.204Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-9088",
"date": "2026-06-10",
"epss": "6e-05",
"percentile": "0.00446"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-9088\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2026-06-05T08:16:30.990\",\"lastModified\":\"2026-06-10T22:17:03.250\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N\",\"baseScore\":2.7,\"baseSeverity\":\"LOW\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.2,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1220\"}]}],\"references\":[{\"url\":\"https://access.redhat.com/errata/RHSA-2026:25097\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:25098\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2026-9088\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2480179\",\"source\":\"secalert@redhat.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-9088\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-05T13:10:30.927804Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-05T13:10:35.440Z\"}}], \"cna\": {\"title\": \"Keycloak: keycloak: information disclosure due to user profile permission bypass\", \"credits\": [{\"lang\": \"en\", \"value\": \"Red Hat would like to thank Hadley So for reporting this issue.\"}], \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Low\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 2.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"LOW\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"LOW\"}}], \"affected\": [{\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.6::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.6\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"26.6.3-3\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"rhbk/keycloak-operator-bundle\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.6::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.6\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"26.6-6\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"rhbk/keycloak-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.6::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.6\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"26.6-6\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"rhbk/keycloak-rhel9-operator\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.6::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.6.3\", \"packageName\": \"rhbk/keycloak-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-05-20T15:01:25.568Z\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2026-06-05T07:45:40.116Z\", \"value\": \"Made public.\"}], \"datePublic\": \"2026-06-05T07:45:40.116Z\", \"references\": [{\"url\": \"https://access.redhat.com/errata/RHSA-2026:25097\", \"name\": \"RHSA-2026:25097\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:25098\", \"name\": \"RHSA-2026:25098\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/security/cve/CVE-2026-9088\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2480179\", \"name\": \"RHBZ#2480179\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.\"}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1220\", \"description\": \"Insufficient Granularity of Access Control\"}]}], \"providerMetadata\": {\"orgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"shortName\": \"redhat\", \"dateUpdated\": \"2026-06-10T21:29:23.204Z\"}, \"x_redhatCweChain\": \"CWE-1220: Insufficient Granularity of Access Control\"}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-9088\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-10T21:29:23.204Z\", \"dateReserved\": \"2026-05-20T15:01:48.645Z\", \"assignerOrgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"datePublished\": \"2026-06-05T07:52:52.858Z\", \"assignerShortName\": \"redhat\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-9088
Vulnerability from fkie_nvd - Published: 2026-06-05 08:16 - Updated: 2026-06-10 22:17
Severity
Summary
A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure."
}
],
"id": "CVE-2026-9088",
"lastModified": "2026-06-10T22:17:03.250",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.2,
"impactScore": 1.4,
"source": "secalert@redhat.com",
"type": "Secondary"
}
]
},
"published": "2026-06-05T08:16:30.990",
"references": [
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2026:25097"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2026:25098"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/security/cve/CVE-2026-9088"
},
{
"source": "secalert@redhat.com",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480179"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Awaiting Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-1220"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
}
]
}
GHSA-6G26-7CX5-MRRG
Vulnerability from github – Published: 2026-06-05 09:33 – Updated: 2026-06-11 00:32
VLAI
Details
A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.
Severity
{
"affected": [],
"aliases": [
"CVE-2026-9088"
],
"database_specific": {
"cwe_ids": [
"CWE-1220"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-05T08:16:30Z",
"severity": "LOW"
},
"details": "A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.",
"id": "GHSA-6g26-7cx5-mrrg",
"modified": "2026-06-11T00:32:03Z",
"published": "2026-06-05T09:33:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9088"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25097"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:25098"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-9088"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480179"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
RHSA-2026:25097
Vulnerability from csaf_redhat - Published: 2026-06-10 17:35 - Updated: 2026-06-10 21:22Summary
Red Hat Security Advisory: Red Hat build of Keycloak 26.6.3 Images Update
Severity
Moderate
Notes
Topic: New images are available for Red Hat build of Keycloak 26.6.3 and Red Hat build of Keycloak 26.6.3 Operator, running on OpenShift Container Platform
Details: Red Hat build of Keycloak is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat build of Keycloak for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.
Red Hat build of Keycloak Operator for OpenShift simplifies deployment and management of Keycloak 26.6.3 clusters.
This erratum releases new images for Red Hat build of Keycloak 26.6.3 for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.
Security fixes:
* Security restriction bypass allows unauthorized ROPC token acquisition (CVE-2026-9792)
* Privilege escalation due to oversized subject_token JWT (CVE-2026-9704)
* Denial of Service via malformed LDAP password policy response (CVE-2026-9801)
* Denial of Service via malformed Authorization header (CVE-2026-9803)
* Organization Data Leak After Feature Disabled in Keycloak (CVE-2026-9791)
* Information disclosure via SAML ECP endpoint (CVE-2026-9794)
* Unauthorized account access via replayed refresh tokens after cluster restart (CVE-2026-9802)
* Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login (CVE-2026-9087)
* Information disclosure due to user profile permission bypass (CVE-2026-9088)
* Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation (CVE-2026-8830)
* Improper Access Control on Keycloak Server when the account Account API feature is disabled (CVE-2026-7500)
* Security flaw in org.keycloak/keycloak-services (CVE-2026-8922)
* Information disclosure via CORS header injection due to unvalidated JWT azp claim (CVE-2026-37977)
* Server-Side Request Forgery via OIDC token endpoint manipulation (CVE-2026-4874)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure.
CWE-918 - Server-Side Request Forgery (SSRF)Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.
5.4 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that the newly created credential's parameters, such as public key algorithms, match the realm's configured WebAuthn policies. This could lead to the creation of credentials that do not adhere to administrative security requirements, potentially weakening the overall security posture of the system by allowing non-compliant authentication methods.
4.3 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.
5.4 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account.
6.4 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.
CWE-1220 - Insufficient Granularity of Access ControlAffected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to fall back to client credentials. This allows the user to gain the permissions of the client's service account, leading to privilege escalation.
6.8 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata to be disclosed in tokens, even after an administrator has explicitly disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers.
4.3 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant` executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure.
6.5 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs. By observing distinct faultstrings in the responses, the attacker can determine the client's protocol type, leading to information disclosure.
5.3 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password policy response during a password authentication request, the attacker can trigger an OutOfMemoryError. This causes the Keycloak Java Virtual Machine (JVM) to terminate, leading to a denial of service (DoS) for all realms on the affected node.
4.9 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim's account, potentially leading to information disclosure or privilege escalation.
6.8 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authorization: Bearer' header to any client registration endpoint. This can lead to an ArrayIndexOutOfBoundsException, causing the server to return an HTTP 500 error and resulting in a Denial of Service (DoS) for the affected service.
5.3 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in Keycloak's User-Managed Access (UMA) token endpoint. This flaw occurs because the `azp` claim from a client-supplied JSON Web Token (JWT) is used to set the `Access-Control-Allow-Origin` header before the JWT signature is validated. When a specially crafted JWT with an attacker-controlled `azp` value is processed, this value is reflected as the CORS origin, even if the grant is later rejected. This can lead to the exposure of low-sensitivity information from authorization server error responses, weakening origin isolation, but only when a target client is misconfigured with `webOrigins: ["*"]`.
CWE-346 - Origin Validation ErrorAffected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le | — |
Vendor Fix
fix
|
Threats
Impact
Low
References
59 references
Acknowledgments
Independent Security Researcher
Evan Hendra
Evan Hendra
RedHat
Martin Bartoš
Joy Gilbert
Reynaldo Immanuel
Hadley So
Filip Jovanov (PegasusMKD)
Muhammed Hussein
Asaad Mostafa
Seongkuk Park
Gyeongpyo Son
Mustafa Çetin
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New images are available for Red Hat build of Keycloak 26.6.3 and Red Hat build of Keycloak 26.6.3 Operator, running on OpenShift Container Platform",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat build of Keycloak is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat build of Keycloak for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.\nRed Hat build of Keycloak Operator for OpenShift simplifies deployment and management of Keycloak 26.6.3 clusters.\n\nThis erratum releases new images for Red Hat build of Keycloak 26.6.3 for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.\n\nSecurity fixes:\n* Security restriction bypass allows unauthorized ROPC token acquisition (CVE-2026-9792)\n* Privilege escalation due to oversized subject_token JWT (CVE-2026-9704)\n* Denial of Service via malformed LDAP password policy response (CVE-2026-9801)\n* Denial of Service via malformed Authorization header (CVE-2026-9803)\n* Organization Data Leak After Feature Disabled in Keycloak (CVE-2026-9791)\n* Information disclosure via SAML ECP endpoint (CVE-2026-9794)\n* Unauthorized account access via replayed refresh tokens after cluster restart (CVE-2026-9802)\n* Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login (CVE-2026-9087)\n* Information disclosure due to user profile permission bypass (CVE-2026-9088)\n* Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation (CVE-2026-8830)\n* Improper Access Control on Keycloak Server when the account Account API feature is disabled (CVE-2026-7500)\n* Security flaw in org.keycloak/keycloak-services (CVE-2026-8922)\n* Information disclosure via CORS header injection due to unvalidated JWT azp claim (CVE-2026-37977)\n* Server-Side Request Forgery via OIDC token endpoint manipulation (CVE-2026-4874)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:25097",
"url": "https://access.redhat.com/errata/RHSA-2026:25097"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_25097.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Keycloak 26.6.3 Images Update",
"tracking": {
"current_release_date": "2026-06-10T21:22:06+00:00",
"generator": {
"date": "2026-06-10T21:22:06+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.2"
}
},
"id": "RHSA-2026:25097",
"initial_release_date": "2026-06-10T17:35:31+00:00",
"revision_history": [
{
"date": "2026-06-10T17:35:31+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-10T17:35:31+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-10T21:22:06+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Keycloak 26.6",
"product": {
"name": "Red Hat build of Keycloak 26.6",
"product_id": "9Base-RHBK-26.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:build_keycloak:26.6::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Keycloak"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le",
"product_id": "rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b?arch=ppc64le\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.6-6"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223?arch=ppc64le\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.6-6"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"product_id": "rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79?arch=arm64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.6-6"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f?arch=arm64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.6-6"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"product_id": "rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.6-6"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"product": {
"name": "rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"product_id": "rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-operator-bundle\u0026tag=26.6.3-3"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.6-6"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"product_id": "rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071?arch=s390x\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.6-6"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8?arch=s390x\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.6-6"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64 as a component of Red Hat build of Keycloak 26.6",
"product_id": "9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64"
},
"product_reference": "rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"relates_to_product_reference": "9Base-RHBK-26.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64 as a component of Red Hat build of Keycloak 26.6",
"product_id": "9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"relates_to_product_reference": "9Base-RHBK-26.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le as a component of Red Hat build of Keycloak 26.6",
"product_id": "9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"relates_to_product_reference": "9Base-RHBK-26.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64 as a component of Red Hat build of Keycloak 26.6",
"product_id": "9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"relates_to_product_reference": "9Base-RHBK-26.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x as a component of Red Hat build of Keycloak 26.6",
"product_id": "9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"relates_to_product_reference": "9Base-RHBK-26.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64 as a component of Red Hat build of Keycloak 26.6",
"product_id": "9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"relates_to_product_reference": "9Base-RHBK-26.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x as a component of Red Hat build of Keycloak 26.6",
"product_id": "9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"relates_to_product_reference": "9Base-RHBK-26.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64 as a component of Red Hat build of Keycloak 26.6",
"product_id": "9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"relates_to_product_reference": "9Base-RHBK-26.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le as a component of Red Hat build of Keycloak 26.6",
"product_id": "9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le",
"relates_to_product_reference": "9Base-RHBK-26.6"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Evan Hendra"
],
"organization": "Independent Security Researcher"
}
],
"cve": "CVE-2026-4874",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2026-03-26T05:51:10.233928+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2451611"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server\u2019s network context, potentially probing internal networks or internal APIs, leading to information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: Keycloak: Server-Side Request Forgery via OIDC token endpoint manipulation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw allows an authenticated attacker to perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This vulnerability is exploitable when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder, enabling the attacker to probe internal networks from the Keycloak server\u0027s context. Exploitation requires valid user credentials and a logout event.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-4874"
},
{
"category": "external",
"summary": "RHBZ#2451611",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451611"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-4874",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4874"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-4874",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4874"
}
],
"release_date": "2026-03-26T05:56:03.440000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T17:35:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25097"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: Keycloak: Server-Side Request Forgery via OIDC token endpoint manipulation"
},
{
"acknowledgments": [
{
"names": [
"Evan Hendra"
]
}
],
"cve": "CVE-2026-7500",
"cwe": {
"id": "CWE-425",
"name": "Direct Request (\u0027Forced Browsing\u0027)"
},
"discovery_date": "2026-04-30T14:31:57.661264+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2464126"
}
],
"notes": [
{
"category": "description",
"text": "When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional \u2014 including both read and write operations \u2014 because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak.keycloak-services: Improper Access Control on Keycloak Server when the account Account API feature is disabled",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate impact flaw in Keycloak allows authenticated users to bypass the intended disablement of the account and account-api features when Keycloak is started with `--features-disabled=account,account-api`. This bypass enables unauthorized read and write operations on specific account endpoints, despite the configuration aiming to restrict such access.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-7500"
},
{
"category": "external",
"summary": "RHBZ#2464126",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464126"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-7500",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7500"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-7500",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7500"
}
],
"release_date": "2026-04-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T17:35:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25097"
},
{
"category": "workaround",
"details": "To reduce the attack surface, restrict network access to the Keycloak server\u0027s administration and API endpoints to trusted networks or hosts. This limits the ability of unauthorized users to interact with the server and potentially exploit this improper access control vulnerability. If the Keycloak service is reloaded or restarted, ensure that firewall rules or network access controls remain in effect.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.keycloak.keycloak-services: Improper Access Control on Keycloak Server when the account Account API feature is disabled"
},
{
"acknowledgments": [
{
"names": [
"Martin Barto\u0161"
],
"organization": "RedHat"
}
],
"cve": "CVE-2026-8830",
"cwe": {
"id": "CWE-603",
"name": "Use of Client-Side Authentication"
},
"discovery_date": "2026-05-18T13:09:00.257429+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2479565"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that the newly created credential\u0027s parameters, such as public key algorithms, match the realm\u0027s configured WebAuthn policies. This could lead to the creation of credentials that do not adhere to administrative security requirements, potentially weakening the overall security posture of the system by allowing non-compliant authentication methods.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: org.keycloak/keycloak-services: Keycloak: Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A Moderate security flaw was found in Keycloak\u0027s WebAuthn credential registration process. This issue allows an authenticated attacker to bypass configured WebAuthn policies, such as algorithm requirements or user verification, by manipulating client-side JavaScript during registration. This bypass could lead to the registration of credentials that do not meet the intended security standards, potentially weakening the overall authentication posture.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-8830"
},
{
"category": "external",
"summary": "RHBZ#2479565",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2479565"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-8830",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-8830"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-8830",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8830"
}
],
"release_date": "2026-05-19T05:00:04.741000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T17:35:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25097"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: org.keycloak/keycloak-services: Keycloak: Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation"
},
{
"acknowledgments": [
{
"names": [
"Joy Gilbert",
"Reynaldo Immanuel"
]
}
],
"cve": "CVE-2026-8922",
"cwe": {
"id": "CWE-303",
"name": "Incorrect Implementation of Authentication Algorithm"
},
"discovery_date": "2026-05-18T14:50:44.323413+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2479586"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak\u0027s OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak/keycloak-services: keycloak: org.keycloak.protocol.oidc: Security flaw in org.keycloak/keycloak-services",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate impact flaw in Red Hat Build of Keycloak allows revoked OpenID Connect (OIDC) tokens to remain active due to a failure in honoring realm-level revocation policies when client-level `notBefore` values are also configured. This occurs because the client-level setting can interfere with the intended realm-level revocation, leading to a temporary bypass of security controls.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-8922"
},
{
"category": "external",
"summary": "RHBZ#2479586",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2479586"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-8922",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-8922"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-8922",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8922"
}
],
"release_date": "2026-05-19T06:22:56.138000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T17:35:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25097"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.keycloak/keycloak-services: keycloak: org.keycloak.protocol.oidc: Security flaw in org.keycloak/keycloak-services"
},
{
"cve": "CVE-2026-9087",
"cwe": {
"id": "CWE-639",
"name": "Authorization Bypass Through User-Controlled Key"
},
"discovery_date": "2026-05-20T14:53:02.458000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480172"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId,\nidpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim\u0027s local account.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Important: A flaw in Keycloak\u0027s cross-session email verification allows an attacker to gain persistent access to a victim\u0027s local account. This occurs when an attacker controls an upstream identity provider account sharing an email with the victim, and the victim is actively linking their account while email verification is enabled and the identity provider is configured with `trustEmail=false`. The attacker can then consume the verification proof, linking their account to the victim\u0027s.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9087"
},
{
"category": "external",
"summary": "RHBZ#2480172",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480172"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9087",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9087"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9087",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9087"
}
],
"release_date": "2026-05-20T14:53:44.238000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T17:35:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25097"
},
{
"category": "workaround",
"details": "To mitigate this issue, configure the affected identity provider to set `trustEmail=true`. This ensures that Keycloak trusts the email address provided by the upstream identity provider, bypassing the vulnerable verification flow. This mitigation should only be applied if the upstream identity provider is fully trusted to verify email addresses and prevent malicious account creation with existing email addresses. Configuration changes may require a Keycloak service restart or reload to take effect.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login"
},
{
"acknowledgments": [
{
"names": [
"Hadley So"
]
}
],
"cve": "CVE-2026-9088",
"cwe": {
"id": "CWE-1220",
"name": "Insufficient Granularity of Access Control"
},
"discovery_date": "2026-05-20T15:01:25.568000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480179"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Information disclosure due to user profile permission bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Low: A flaw in Keycloak allows administrators with delegated access to read group memberships and users to bypass user profile permissions. This enables the viewing of user attributes that are configured to be denied, impacting data confidentiality for specific administrative roles.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9088"
},
{
"category": "external",
"summary": "RHBZ#2480179",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480179"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9088",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9088"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9088",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9088"
}
],
"release_date": "2026-06-05T07:45:40.116000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T17:35:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25097"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak: Keycloak: Information disclosure due to user profile permission bypass"
},
{
"acknowledgments": [
{
"names": [
"Filip Jovanov (PegasusMKD)"
]
}
],
"cve": "CVE-2026-9704",
"cwe": {
"id": "CWE-1284",
"name": "Improper Validation of Specified Quantity in Input"
},
"discovery_date": "2026-05-27T12:27:13.702000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2481877"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to fall back to client credentials. This allows the user to gain the permissions of the client\u0027s service account, leading to privilege escalation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Privilege escalation due to oversized subject_token JWT",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate flaw in Keycloak allows an authenticated, low-privileged user to escalate privileges. By submitting an oversized `subject_token` JWT to the TokenEndpoint, the system defaults to client credentials, granting the attacker the client\u0027s service account permissions. This bypass occurs when the token exceeds a 4000-character limit, leading to an unintended privilege gain.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9704"
},
{
"category": "external",
"summary": "RHBZ#2481877",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481877"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9704",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9704"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9704",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9704"
}
],
"release_date": "2026-05-27T12:45:59.735000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T17:35:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25097"
},
{
"category": "workaround",
"details": "To prevent the silent dropping of oversized `subject_token` JWTs, configure Keycloak to enforce strict parameter validation. This involves setting the `fail-fast` parameter to `true` for the `TokenEndpoint` configuration, which will cause requests with oversized parameters to be rejected explicitly rather than silently processed with reduced privileges. Consult Keycloak documentation for the exact method to modify these settings. A restart of the Keycloak service may be necessary for the changes to apply.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Privilege escalation due to oversized subject_token JWT"
},
{
"acknowledgments": [
{
"names": [
"Evan Hendra"
],
"organization": "Independent Security Researcher"
}
],
"cve": "CVE-2026-9791",
"cwe": {
"id": "CWE-863",
"name": "Incorrect Authorization"
},
"discovery_date": "2026-05-28T03:06:33+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482458"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the \u0027organization\u0027 scope. This allows organization metadata to be disclosed in tokens, even after an administrator has explicitly disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak-rhel9: Organization Data Leak After Feature Disabled in Keycloak",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Keycloak fails to enforce the disabled state of the Organizations feature on user-facing APIs, allowing authenticated users to retrieve organization membership data and obtain tokens with organization claims even after an administrator has disabled the feature at the realm level.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9791"
},
{
"category": "external",
"summary": "RHBZ#2482458",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482458"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9791",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9791"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9791",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9791"
}
],
"release_date": "2026-05-28T03:08:53.319000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T17:35:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25097"
},
{
"category": "workaround",
"details": "Administrators should verify that disabling the Organizations feature properly blocks all organization-related functionality. Consider implementing additional access controls or removing organization memberships before disabling the feature.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak-rhel9: Organization Data Leak After Feature Disabled in Keycloak"
},
{
"acknowledgments": [
{
"names": [
"Evan Hendra"
],
"organization": "Independent Security Researcher"
}
],
"cve": "CVE-2026-9792",
"cwe": {
"id": "CWE-280",
"name": "Improper Handling of Insufficient Permissions or Privileges"
},
"discovery_date": "2026-05-28T03:09:09.710000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482459"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant` executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Security restriction bypass allows unauthorized ROPC token acquisition",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Medium severity flaw in Keycloak allows client policies designed to reject Resource Owner Password Credentials (ROPC) grants to be bypassed. When specific condition providers (client-type, client-roles, client-attributes, or client-scopes) are used, clients can obtain tokens via ROPC despite explicit policy configuration to block such requests. This impacts Keycloak deployments where administrators rely on these policies to enforce FAPI 2.0 compliance and prevent credential exposure.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9792"
},
{
"category": "external",
"summary": "RHBZ#2482459",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482459"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9792",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9792"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9792",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9792"
}
],
"release_date": "2026-05-28T03:10:21.828000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T17:35:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25097"
},
{
"category": "workaround",
"details": "To mitigate this issue, Keycloak administrators should review and adjust client policies designed to reject Resource Owner Password Credentials (ROPC) grants. Avoid using the `client-type`, `client-roles`, `client-attributes`, or `client-scopes` condition providers in conjunction with the `reject-ropc-grant` executor. Instead, configure policies to use the `grant-type` condition provider for ROPC rejection. A restart or reload of the Keycloak service may be required for these policy changes to take full effect.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Security restriction bypass allows unauthorized ROPC token acquisition"
},
{
"acknowledgments": [
{
"names": [
"Muhammed Hussein",
"Asaad Mostafa"
]
}
],
"cve": "CVE-2026-9794",
"cwe": {
"id": "CWE-209",
"name": "Generation of Error Message Containing Sensitive Information"
},
"discovery_date": "2026-05-28T03:14:55.617000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482461"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs. By observing distinct faultstrings in the responses, the attacker can determine the client\u0027s protocol type, leading to information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Information disclosure via SAML ECP endpoint",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate-severity information disclosure flaw in Keycloak allows an unauthenticated, remote attacker to enumerate client protocol types. By sending specially crafted SOAP requests to the SAML ECP endpoint and analyzing the resulting faultstrings, an attacker can discern the protocol associated with different client IDs, aiding in further targeted attacks.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9794"
},
{
"category": "external",
"summary": "RHBZ#2482461",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482461"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9794",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9794"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9794",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9794"
}
],
"release_date": "2026-05-28T03:15:43.066000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T17:35:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25097"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Information disclosure via SAML ECP endpoint"
},
{
"acknowledgments": [
{
"names": [
"Seongkuk Park"
]
}
],
"cve": "CVE-2026-9801",
"cwe": {
"id": "CWE-1284",
"name": "Improper Validation of Specified Quantity in Input"
},
"discovery_date": "2026-05-28T04:00:39.339000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482473"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password policy response during a password authentication request, the attacker can trigger an OutOfMemoryError. This causes the Keycloak Java Virtual Machine (JVM) to terminate, leading to a denial of service (DoS) for all realms on the affected node.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Denial of Service via malformed LDAP password policy response",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Keycloak presents a denial-of-service risk when an LDAP user-storage provider is configured. A highly privileged attacker, such as a realm administrator or through a compromised LDAP connection, can send a malformed LDAP password-policy response. This triggers an OutOfMemoryError, causing the Keycloak JVM to terminate and resulting in a complete outage of the node.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9801"
},
{
"category": "external",
"summary": "RHBZ#2482473",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482473"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9801",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9801"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9801",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9801"
}
],
"release_date": "2026-05-28T04:18:25.872000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T17:35:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25097"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, ensure that Keycloak\u0027s LDAP user-storage providers are configured to connect only to trusted and secure LDAP servers. Avoid configuring LDAP federation with unverified or potentially malicious LDAP endpoints. Additionally, always use TLS for LDAP connections to prevent Man-in-the-Middle attacks. If an upstream LDAP server is compromised, it should be isolated and secured immediately.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Denial of Service via malformed LDAP password policy response"
},
{
"acknowledgments": [
{
"names": [
"Gyeongpyo Son"
]
}
],
"cve": "CVE-2026-9802",
"cwe": {
"id": "CWE-613",
"name": "Insufficient Session Expiration"
},
"discovery_date": "2026-05-28T04:01:03.837000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482467"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user\u0027s refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim\u0027s account, potentially leading to information disclosure or privilege escalation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Unauthorized account access via replayed refresh tokens after cluster restart",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A flaw in Keycloak, when configured with `revokeRefreshToken=true` and persistent session storage, allows a remote attacker to regain unauthorized access. Following a full cluster restart, a previously revoked refresh token, if captured by an attacker, can be replayed to bypass security checks. This could lead to unauthorized account access, potentially resulting in information disclosure or privilege escalation.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9802"
},
{
"category": "external",
"summary": "RHBZ#2482467",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482467"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9802",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9802"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9802",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9802"
}
],
"release_date": "2026-05-28T04:10:26.145000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T17:35:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25097"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Unauthorized account access via replayed refresh tokens after cluster restart"
},
{
"acknowledgments": [
{
"names": [
"Mustafa \u00c7etin"
]
}
],
"cve": "CVE-2026-9803",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"discovery_date": "2026-05-28T04:02:15.892000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482465"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed \u0027Authorization: Bearer\u0027 header to any client registration endpoint. This can lead to an ArrayIndexOutOfBoundsException, causing the server to return an HTTP 500 error and resulting in a Denial of Service (DoS) for the affected service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Denial of Service via malformed Authorization header",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A Moderate denial of service flaw was found in Keycloak\u0027s client registration endpoints. An unauthenticated attacker can send a specially crafted request with a malformed \u0027Authorization: Bearer\u0027 header, causing an ArrayIndexOutOfBoundsException and an HTTP 500 error. This can lead to a temporary disruption of service for the Keycloak instance.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9803"
},
{
"category": "external",
"summary": "RHBZ#2482465",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482465"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9803",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9803"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9803",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9803"
}
],
"release_date": "2026-05-28T04:03:01.292000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T17:35:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25097"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Denial of Service via malformed Authorization header"
},
{
"cve": "CVE-2026-37977",
"cwe": {
"id": "CWE-346",
"name": "Origin Validation Error"
},
"discovery_date": "2026-04-06T07:49:33.467949+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2455324"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in Keycloak\u0027s User-Managed Access (UMA) token endpoint. This flaw occurs because the `azp` claim from a client-supplied JSON Web Token (JWT) is used to set the `Access-Control-Allow-Origin` header before the JWT signature is validated. When a specially crafted JWT with an attacker-controlled `azp` value is processed, this value is reflected as the CORS origin, even if the grant is later rejected. This can lead to the exposure of low-sensitivity information from authorization server error responses, weakening origin isolation, but only when a target client is misconfigured with `webOrigins: [\"*\"]`.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: org.keycloak.protocol.oidc.grants.ciba: Keycloak: Information disclosure via CORS header injection due to unvalidated JWT azp claim",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Low impact: This vulnerability in Keycloak\u0027s UMA token endpoint allows for CORS header injection when a client is misconfigured with `webOrigins: [\"*\"]`. This can lead to the exposure of low-sensitivity information from authorization server error responses. Exploitation requires a specific client misconfiguration and does not affect default Keycloak installations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-37977"
},
{
"category": "external",
"summary": "RHBZ#2455324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455324"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-37977",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-37977"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-37977",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-37977"
}
],
"release_date": "2026-04-06T08:34:01.137000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T17:35:31+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25097"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:b32c3aaa65f4ea0ef5eca9ea14ba20f7a382a625acfeebf2b9f604caeaea143d_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:091b92f4afb1a23d0fc927e4160e824237b46128ea700ceeba6a8197f2952e6f_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:3e7730250bf4e80e6097bf585f6c56d26296abfd3a895b705fcb954fff5a6223_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:7230f239140c1e843bd0939ba086a285a183e3ed6c47b7fa72d55204f7fd5e54_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c71e3d3785552cb3f18bca097c7dac638fbc6e4d7af470da22b910181c0202c8_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:749a914cbd258815ac1fb6ca8f6e8624c30c6b411a6f6f00f7204e6e9d053c79_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:7e81ba378ddeb63a1a2fd2b85e9302a6430b44614a519e942bf410b376adc071_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:99222593645c093307b570651213c1695f74f7782f6922900688f8c4183d0c2c_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:acdf471dd72130f542d96f2066de14cee987d8d7c3c18eebfe7a9f6dd3ddcb8b_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak: org.keycloak.protocol.oidc.grants.ciba: Keycloak: Information disclosure via CORS header injection due to unvalidated JWT azp claim"
}
]
}
RHSA-2026:25098
Vulnerability from csaf_redhat - Published: 2026-06-10 17:38 - Updated: 2026-06-10 21:22Summary
Red Hat Security Advisory: Red Hat build of Keycloak 26.6.3 Update
Severity
Moderate
Notes
Topic: New Red Hat build of Keycloak 26.6.3 packages are available from the Customer Portal
Details: Red Hat build of Keycloak 26.6.3 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
Security fixes:
* Security restriction bypass allows unauthorized ROPC token acquisition (CVE-2026-9792)
* Privilege escalation due to oversized subject_token JWT (CVE-2026-9704)
* Denial of Service via malformed LDAP password policy response (CVE-2026-9801)
* Denial of Service via malformed Authorization header (CVE-2026-9803)
* Organization Data Leak After Feature Disabled in Keycloak (CVE-2026-9791)
* Information disclosure via SAML ECP endpoint (CVE-2026-9794)
* Unauthorized account access via replayed refresh tokens after cluster restart (CVE-2026-9802)
* Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login (CVE-2026-9087)
* Information disclosure due to user profile permission bypass (CVE-2026-9088)
* Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation (CVE-2026-8830)
* Improper Access Control on Keycloak Server when the account Account API feature is disabled (CVE-2026-7500)
* Security flaw in org.keycloak/keycloak-services (CVE-2026-8922)
* Information disclosure via CORS header injection due to unvalidated JWT azp claim (CVE-2026-37977)
* Server-Side Request Forgery via OIDC token endpoint manipulation (CVE-2026-4874)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure.
CWE-918 - Server-Side Request Forgery (SSRF)Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.3
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.
5.4 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.3
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that the newly created credential's parameters, such as public key algorithms, match the realm's configured WebAuthn policies. This could lead to the creation of credentials that do not adhere to administrative security requirements, potentially weakening the overall security posture of the system by allowing non-compliant authentication methods.
4.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.3
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.
5.4 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.3
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account.
6.4 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.3
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.
CWE-1220 - Insufficient Granularity of Access ControlAffected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.3
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to fall back to client credentials. This allows the user to gain the permissions of the client's service account, leading to privilege escalation.
6.8 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.3
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata to be disclosed in tokens, even after an administrator has explicitly disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers.
4.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.3
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant` executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.3
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs. By observing distinct faultstrings in the responses, the attacker can determine the client's protocol type, leading to information disclosure.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.3
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password policy response during a password authentication request, the attacker can trigger an OutOfMemoryError. This causes the Keycloak Java Virtual Machine (JVM) to terminate, leading to a denial of service (DoS) for all realms on the affected node.
4.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.3
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim's account, potentially leading to information disclosure or privilege escalation.
6.8 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.3
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authorization: Bearer' header to any client registration endpoint. This can lead to an ArrayIndexOutOfBoundsException, causing the server to return an HTTP 500 error and resulting in a Denial of Service (DoS) for the affected service.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.3
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in Keycloak's User-Managed Access (UMA) token endpoint. This flaw occurs because the `azp` claim from a client-supplied JSON Web Token (JWT) is used to set the `Access-Control-Allow-Origin` header before the JWT signature is validated. When a specially crafted JWT with an attacker-controlled `azp` value is processed, this value is reflected as the CORS origin, even if the grant is later rejected. This can lead to the exposure of low-sensitivity information from authorization server error responses, weakening origin isolation, but only when a target client is misconfigured with `webOrigins: ["*"]`.
CWE-346 - Origin Validation ErrorAffected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.3
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
References
59 references
Acknowledgments
Independent Security Researcher
Evan Hendra
Evan Hendra
RedHat
Martin Bartoš
Joy Gilbert
Reynaldo Immanuel
Hadley So
Filip Jovanov (PegasusMKD)
Muhammed Hussein
Asaad Mostafa
Seongkuk Park
Gyeongpyo Son
Mustafa Çetin
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New Red Hat build of Keycloak 26.6.3 packages are available from the Customer Portal",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat build of Keycloak 26.6.3 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nSecurity fixes:\n* Security restriction bypass allows unauthorized ROPC token acquisition (CVE-2026-9792)\n* Privilege escalation due to oversized subject_token JWT (CVE-2026-9704)\n* Denial of Service via malformed LDAP password policy response (CVE-2026-9801)\n* Denial of Service via malformed Authorization header (CVE-2026-9803)\n* Organization Data Leak After Feature Disabled in Keycloak (CVE-2026-9791)\n* Information disclosure via SAML ECP endpoint (CVE-2026-9794)\n* Unauthorized account access via replayed refresh tokens after cluster restart (CVE-2026-9802)\n* Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login (CVE-2026-9087)\n* Information disclosure due to user profile permission bypass (CVE-2026-9088)\n* Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation (CVE-2026-8830)\n* Improper Access Control on Keycloak Server when the account Account API feature is disabled (CVE-2026-7500)\n* Security flaw in org.keycloak/keycloak-services (CVE-2026-8922)\n* Information disclosure via CORS header injection due to unvalidated JWT azp claim (CVE-2026-37977)\n* Server-Side Request Forgery via OIDC token endpoint manipulation (CVE-2026-4874)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:25098",
"url": "https://access.redhat.com/errata/RHSA-2026:25098"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_25098.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Keycloak 26.6.3 Update",
"tracking": {
"current_release_date": "2026-06-10T21:22:07+00:00",
"generator": {
"date": "2026-06-10T21:22:07+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.2"
}
},
"id": "RHSA-2026:25098",
"initial_release_date": "2026-06-10T17:38:19+00:00",
"revision_history": [
{
"date": "2026-06-10T17:38:19+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-10T17:38:19+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-10T21:22:07+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Keycloak 26.6.3",
"product": {
"name": "Red Hat build of Keycloak 26.6.3",
"product_id": "Red Hat build of Keycloak 26.6.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:build_keycloak:26.6::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Keycloak"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Evan Hendra"
],
"organization": "Independent Security Researcher"
}
],
"cve": "CVE-2026-4874",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2026-03-26T05:51:10.233928+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2451611"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server\u2019s network context, potentially probing internal networks or internal APIs, leading to information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: Keycloak: Server-Side Request Forgery via OIDC token endpoint manipulation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw allows an authenticated attacker to perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This vulnerability is exploitable when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder, enabling the attacker to probe internal networks from the Keycloak server\u0027s context. Exploitation requires valid user credentials and a logout event.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-4874"
},
{
"category": "external",
"summary": "RHBZ#2451611",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451611"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-4874",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4874"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-4874",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4874"
}
],
"release_date": "2026-03-26T05:56:03.440000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T17:38:19+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25098"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.6.3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: Keycloak: Server-Side Request Forgery via OIDC token endpoint manipulation"
},
{
"acknowledgments": [
{
"names": [
"Evan Hendra"
]
}
],
"cve": "CVE-2026-7500",
"cwe": {
"id": "CWE-425",
"name": "Direct Request (\u0027Forced Browsing\u0027)"
},
"discovery_date": "2026-04-30T14:31:57.661264+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2464126"
}
],
"notes": [
{
"category": "description",
"text": "When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional \u2014 including both read and write operations \u2014 because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak.keycloak-services: Improper Access Control on Keycloak Server when the account Account API feature is disabled",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate impact flaw in Keycloak allows authenticated users to bypass the intended disablement of the account and account-api features when Keycloak is started with `--features-disabled=account,account-api`. This bypass enables unauthorized read and write operations on specific account endpoints, despite the configuration aiming to restrict such access.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-7500"
},
{
"category": "external",
"summary": "RHBZ#2464126",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464126"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-7500",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7500"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-7500",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7500"
}
],
"release_date": "2026-04-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T17:38:19+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25098"
},
{
"category": "workaround",
"details": "To reduce the attack surface, restrict network access to the Keycloak server\u0027s administration and API endpoints to trusted networks or hosts. This limits the ability of unauthorized users to interact with the server and potentially exploit this improper access control vulnerability. If the Keycloak service is reloaded or restarted, ensure that firewall rules or network access controls remain in effect.",
"product_ids": [
"Red Hat build of Keycloak 26.6.3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.keycloak.keycloak-services: Improper Access Control on Keycloak Server when the account Account API feature is disabled"
},
{
"acknowledgments": [
{
"names": [
"Martin Barto\u0161"
],
"organization": "RedHat"
}
],
"cve": "CVE-2026-8830",
"cwe": {
"id": "CWE-603",
"name": "Use of Client-Side Authentication"
},
"discovery_date": "2026-05-18T13:09:00.257429+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2479565"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that the newly created credential\u0027s parameters, such as public key algorithms, match the realm\u0027s configured WebAuthn policies. This could lead to the creation of credentials that do not adhere to administrative security requirements, potentially weakening the overall security posture of the system by allowing non-compliant authentication methods.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: org.keycloak/keycloak-services: Keycloak: Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A Moderate security flaw was found in Keycloak\u0027s WebAuthn credential registration process. This issue allows an authenticated attacker to bypass configured WebAuthn policies, such as algorithm requirements or user verification, by manipulating client-side JavaScript during registration. This bypass could lead to the registration of credentials that do not meet the intended security standards, potentially weakening the overall authentication posture.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-8830"
},
{
"category": "external",
"summary": "RHBZ#2479565",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2479565"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-8830",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-8830"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-8830",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8830"
}
],
"release_date": "2026-05-19T05:00:04.741000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T17:38:19+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25098"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.6.3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: org.keycloak/keycloak-services: Keycloak: Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation"
},
{
"acknowledgments": [
{
"names": [
"Joy Gilbert",
"Reynaldo Immanuel"
]
}
],
"cve": "CVE-2026-8922",
"cwe": {
"id": "CWE-303",
"name": "Incorrect Implementation of Authentication Algorithm"
},
"discovery_date": "2026-05-18T14:50:44.323413+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2479586"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak\u0027s OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak/keycloak-services: keycloak: org.keycloak.protocol.oidc: Security flaw in org.keycloak/keycloak-services",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate impact flaw in Red Hat Build of Keycloak allows revoked OpenID Connect (OIDC) tokens to remain active due to a failure in honoring realm-level revocation policies when client-level `notBefore` values are also configured. This occurs because the client-level setting can interfere with the intended realm-level revocation, leading to a temporary bypass of security controls.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-8922"
},
{
"category": "external",
"summary": "RHBZ#2479586",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2479586"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-8922",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-8922"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-8922",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8922"
}
],
"release_date": "2026-05-19T06:22:56.138000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T17:38:19+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25098"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.6.3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.keycloak/keycloak-services: keycloak: org.keycloak.protocol.oidc: Security flaw in org.keycloak/keycloak-services"
},
{
"cve": "CVE-2026-9087",
"cwe": {
"id": "CWE-639",
"name": "Authorization Bypass Through User-Controlled Key"
},
"discovery_date": "2026-05-20T14:53:02.458000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480172"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId,\nidpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim\u0027s local account.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Important: A flaw in Keycloak\u0027s cross-session email verification allows an attacker to gain persistent access to a victim\u0027s local account. This occurs when an attacker controls an upstream identity provider account sharing an email with the victim, and the victim is actively linking their account while email verification is enabled and the identity provider is configured with `trustEmail=false`. The attacker can then consume the verification proof, linking their account to the victim\u0027s.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9087"
},
{
"category": "external",
"summary": "RHBZ#2480172",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480172"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9087",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9087"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9087",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9087"
}
],
"release_date": "2026-05-20T14:53:44.238000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T17:38:19+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25098"
},
{
"category": "workaround",
"details": "To mitigate this issue, configure the affected identity provider to set `trustEmail=true`. This ensures that Keycloak trusts the email address provided by the upstream identity provider, bypassing the vulnerable verification flow. This mitigation should only be applied if the upstream identity provider is fully trusted to verify email addresses and prevent malicious account creation with existing email addresses. Configuration changes may require a Keycloak service restart or reload to take effect.",
"product_ids": [
"Red Hat build of Keycloak 26.6.3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login"
},
{
"acknowledgments": [
{
"names": [
"Hadley So"
]
}
],
"cve": "CVE-2026-9088",
"cwe": {
"id": "CWE-1220",
"name": "Insufficient Granularity of Access Control"
},
"discovery_date": "2026-05-20T15:01:25.568000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480179"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Information disclosure due to user profile permission bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Low: A flaw in Keycloak allows administrators with delegated access to read group memberships and users to bypass user profile permissions. This enables the viewing of user attributes that are configured to be denied, impacting data confidentiality for specific administrative roles.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9088"
},
{
"category": "external",
"summary": "RHBZ#2480179",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480179"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9088",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9088"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9088",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9088"
}
],
"release_date": "2026-06-05T07:45:40.116000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T17:38:19+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25098"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.6.3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak: Keycloak: Information disclosure due to user profile permission bypass"
},
{
"acknowledgments": [
{
"names": [
"Filip Jovanov (PegasusMKD)"
]
}
],
"cve": "CVE-2026-9704",
"cwe": {
"id": "CWE-1284",
"name": "Improper Validation of Specified Quantity in Input"
},
"discovery_date": "2026-05-27T12:27:13.702000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2481877"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to fall back to client credentials. This allows the user to gain the permissions of the client\u0027s service account, leading to privilege escalation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Privilege escalation due to oversized subject_token JWT",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate flaw in Keycloak allows an authenticated, low-privileged user to escalate privileges. By submitting an oversized `subject_token` JWT to the TokenEndpoint, the system defaults to client credentials, granting the attacker the client\u0027s service account permissions. This bypass occurs when the token exceeds a 4000-character limit, leading to an unintended privilege gain.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9704"
},
{
"category": "external",
"summary": "RHBZ#2481877",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481877"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9704",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9704"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9704",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9704"
}
],
"release_date": "2026-05-27T12:45:59.735000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T17:38:19+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25098"
},
{
"category": "workaround",
"details": "To prevent the silent dropping of oversized `subject_token` JWTs, configure Keycloak to enforce strict parameter validation. This involves setting the `fail-fast` parameter to `true` for the `TokenEndpoint` configuration, which will cause requests with oversized parameters to be rejected explicitly rather than silently processed with reduced privileges. Consult Keycloak documentation for the exact method to modify these settings. A restart of the Keycloak service may be necessary for the changes to apply.",
"product_ids": [
"Red Hat build of Keycloak 26.6.3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Privilege escalation due to oversized subject_token JWT"
},
{
"acknowledgments": [
{
"names": [
"Evan Hendra"
],
"organization": "Independent Security Researcher"
}
],
"cve": "CVE-2026-9791",
"cwe": {
"id": "CWE-863",
"name": "Incorrect Authorization"
},
"discovery_date": "2026-05-28T03:06:33+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482458"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the \u0027organization\u0027 scope. This allows organization metadata to be disclosed in tokens, even after an administrator has explicitly disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak-rhel9: Organization Data Leak After Feature Disabled in Keycloak",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Keycloak fails to enforce the disabled state of the Organizations feature on user-facing APIs, allowing authenticated users to retrieve organization membership data and obtain tokens with organization claims even after an administrator has disabled the feature at the realm level.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9791"
},
{
"category": "external",
"summary": "RHBZ#2482458",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482458"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9791",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9791"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9791",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9791"
}
],
"release_date": "2026-05-28T03:08:53.319000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T17:38:19+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25098"
},
{
"category": "workaround",
"details": "Administrators should verify that disabling the Organizations feature properly blocks all organization-related functionality. Consider implementing additional access controls or removing organization memberships before disabling the feature.",
"product_ids": [
"Red Hat build of Keycloak 26.6.3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak-rhel9: Organization Data Leak After Feature Disabled in Keycloak"
},
{
"acknowledgments": [
{
"names": [
"Evan Hendra"
],
"organization": "Independent Security Researcher"
}
],
"cve": "CVE-2026-9792",
"cwe": {
"id": "CWE-280",
"name": "Improper Handling of Insufficient Permissions or Privileges"
},
"discovery_date": "2026-05-28T03:09:09.710000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482459"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant` executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Security restriction bypass allows unauthorized ROPC token acquisition",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Medium severity flaw in Keycloak allows client policies designed to reject Resource Owner Password Credentials (ROPC) grants to be bypassed. When specific condition providers (client-type, client-roles, client-attributes, or client-scopes) are used, clients can obtain tokens via ROPC despite explicit policy configuration to block such requests. This impacts Keycloak deployments where administrators rely on these policies to enforce FAPI 2.0 compliance and prevent credential exposure.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9792"
},
{
"category": "external",
"summary": "RHBZ#2482459",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482459"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9792",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9792"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9792",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9792"
}
],
"release_date": "2026-05-28T03:10:21.828000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T17:38:19+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25098"
},
{
"category": "workaround",
"details": "To mitigate this issue, Keycloak administrators should review and adjust client policies designed to reject Resource Owner Password Credentials (ROPC) grants. Avoid using the `client-type`, `client-roles`, `client-attributes`, or `client-scopes` condition providers in conjunction with the `reject-ropc-grant` executor. Instead, configure policies to use the `grant-type` condition provider for ROPC rejection. A restart or reload of the Keycloak service may be required for these policy changes to take full effect.",
"product_ids": [
"Red Hat build of Keycloak 26.6.3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Security restriction bypass allows unauthorized ROPC token acquisition"
},
{
"acknowledgments": [
{
"names": [
"Muhammed Hussein",
"Asaad Mostafa"
]
}
],
"cve": "CVE-2026-9794",
"cwe": {
"id": "CWE-209",
"name": "Generation of Error Message Containing Sensitive Information"
},
"discovery_date": "2026-05-28T03:14:55.617000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482461"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs. By observing distinct faultstrings in the responses, the attacker can determine the client\u0027s protocol type, leading to information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Information disclosure via SAML ECP endpoint",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate-severity information disclosure flaw in Keycloak allows an unauthenticated, remote attacker to enumerate client protocol types. By sending specially crafted SOAP requests to the SAML ECP endpoint and analyzing the resulting faultstrings, an attacker can discern the protocol associated with different client IDs, aiding in further targeted attacks.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9794"
},
{
"category": "external",
"summary": "RHBZ#2482461",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482461"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9794",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9794"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9794",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9794"
}
],
"release_date": "2026-05-28T03:15:43.066000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T17:38:19+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25098"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.6.3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Information disclosure via SAML ECP endpoint"
},
{
"acknowledgments": [
{
"names": [
"Seongkuk Park"
]
}
],
"cve": "CVE-2026-9801",
"cwe": {
"id": "CWE-1284",
"name": "Improper Validation of Specified Quantity in Input"
},
"discovery_date": "2026-05-28T04:00:39.339000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482473"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password policy response during a password authentication request, the attacker can trigger an OutOfMemoryError. This causes the Keycloak Java Virtual Machine (JVM) to terminate, leading to a denial of service (DoS) for all realms on the affected node.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Denial of Service via malformed LDAP password policy response",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Keycloak presents a denial-of-service risk when an LDAP user-storage provider is configured. A highly privileged attacker, such as a realm administrator or through a compromised LDAP connection, can send a malformed LDAP password-policy response. This triggers an OutOfMemoryError, causing the Keycloak JVM to terminate and resulting in a complete outage of the node.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9801"
},
{
"category": "external",
"summary": "RHBZ#2482473",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482473"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9801",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9801"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9801",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9801"
}
],
"release_date": "2026-05-28T04:18:25.872000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T17:38:19+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25098"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, ensure that Keycloak\u0027s LDAP user-storage providers are configured to connect only to trusted and secure LDAP servers. Avoid configuring LDAP federation with unverified or potentially malicious LDAP endpoints. Additionally, always use TLS for LDAP connections to prevent Man-in-the-Middle attacks. If an upstream LDAP server is compromised, it should be isolated and secured immediately.",
"product_ids": [
"Red Hat build of Keycloak 26.6.3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Denial of Service via malformed LDAP password policy response"
},
{
"acknowledgments": [
{
"names": [
"Gyeongpyo Son"
]
}
],
"cve": "CVE-2026-9802",
"cwe": {
"id": "CWE-613",
"name": "Insufficient Session Expiration"
},
"discovery_date": "2026-05-28T04:01:03.837000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482467"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user\u0027s refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim\u0027s account, potentially leading to information disclosure or privilege escalation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Unauthorized account access via replayed refresh tokens after cluster restart",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A flaw in Keycloak, when configured with `revokeRefreshToken=true` and persistent session storage, allows a remote attacker to regain unauthorized access. Following a full cluster restart, a previously revoked refresh token, if captured by an attacker, can be replayed to bypass security checks. This could lead to unauthorized account access, potentially resulting in information disclosure or privilege escalation.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9802"
},
{
"category": "external",
"summary": "RHBZ#2482467",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482467"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9802",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9802"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9802",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9802"
}
],
"release_date": "2026-05-28T04:10:26.145000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T17:38:19+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25098"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.6.3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Unauthorized account access via replayed refresh tokens after cluster restart"
},
{
"acknowledgments": [
{
"names": [
"Mustafa \u00c7etin"
]
}
],
"cve": "CVE-2026-9803",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"discovery_date": "2026-05-28T04:02:15.892000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482465"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed \u0027Authorization: Bearer\u0027 header to any client registration endpoint. This can lead to an ArrayIndexOutOfBoundsException, causing the server to return an HTTP 500 error and resulting in a Denial of Service (DoS) for the affected service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Denial of Service via malformed Authorization header",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A Moderate denial of service flaw was found in Keycloak\u0027s client registration endpoints. An unauthenticated attacker can send a specially crafted request with a malformed \u0027Authorization: Bearer\u0027 header, causing an ArrayIndexOutOfBoundsException and an HTTP 500 error. This can lead to a temporary disruption of service for the Keycloak instance.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9803"
},
{
"category": "external",
"summary": "RHBZ#2482465",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482465"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9803",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9803"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9803",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9803"
}
],
"release_date": "2026-05-28T04:03:01.292000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T17:38:19+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25098"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.6.3"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Denial of Service via malformed Authorization header"
},
{
"cve": "CVE-2026-37977",
"cwe": {
"id": "CWE-346",
"name": "Origin Validation Error"
},
"discovery_date": "2026-04-06T07:49:33.467949+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2455324"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in Keycloak\u0027s User-Managed Access (UMA) token endpoint. This flaw occurs because the `azp` claim from a client-supplied JSON Web Token (JWT) is used to set the `Access-Control-Allow-Origin` header before the JWT signature is validated. When a specially crafted JWT with an attacker-controlled `azp` value is processed, this value is reflected as the CORS origin, even if the grant is later rejected. This can lead to the exposure of low-sensitivity information from authorization server error responses, weakening origin isolation, but only when a target client is misconfigured with `webOrigins: [\"*\"]`.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: org.keycloak.protocol.oidc.grants.ciba: Keycloak: Information disclosure via CORS header injection due to unvalidated JWT azp claim",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Low impact: This vulnerability in Keycloak\u0027s UMA token endpoint allows for CORS header injection when a client is misconfigured with `webOrigins: [\"*\"]`. This can lead to the exposure of low-sensitivity information from authorization server error responses. Exploitation requires a specific client misconfiguration and does not affect default Keycloak installations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.3"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-37977"
},
{
"category": "external",
"summary": "RHBZ#2455324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455324"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-37977",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-37977"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-37977",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-37977"
}
],
"release_date": "2026-04-06T08:34:01.137000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-10T17:38:19+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.3"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:25098"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.3"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak: org.keycloak.protocol.oidc.grants.ciba: Keycloak: Information disclosure via CORS header injection due to unvalidated JWT azp claim"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…