Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-9099 (GCVE-0-2026-9099)
Vulnerability from cvelistv5 – Published: 2026-06-25 16:16 – Updated: 2026-06-26 06:26
VLAI
EPSS
Title
Keycloak: group-admin escalation to realm-admin
Summary
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group.
Because group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.
Severity
7.7 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2026:30049 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:30050 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:30083 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:30084 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/security/cve/CVE-2026-9099 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2480182 | issue-trackingx_refsource_REDHAT |
Impacted products
6 products
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat build of Keycloak 26.4 |
Unaffected:
26.4.13-1 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.4::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.4 |
Unaffected:
26.4-19 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.4::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.4.13 |
cpe:/a:redhat:build_keycloak:26.4::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.6 |
Unaffected:
26.6.4-2 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.6::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.6 |
Unaffected:
26.6-8 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.6::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.6.4 |
cpe:/a:redhat:build_keycloak:26.6::el9 |
Date Public
2026-06-25 15:58
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-9099",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-25T20:25:31.782558Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-25T20:26:06.600Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-operator-bundle",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4.13-1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4-19",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9-operator",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4-19",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "unaffected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.4.13",
"vendor": "Red Hat"
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.6::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-operator-bundle",
"product": "Red Hat build of Keycloak 26.6",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.6.4-2",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.6::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.6",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.6-8",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.6::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9-operator",
"product": "Red Hat build of Keycloak 26.6",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.6-8",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.6::el9"
],
"defaultStatus": "unaffected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.6.4",
"vendor": "Red Hat"
}
],
"datePublic": "2026-06-25T15:58:51.884Z",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group.\n\nBecause group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator\u0027s password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-26T06:26:57.094Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2026:30049",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"name": "RHSA-2026:30050",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"name": "RHSA-2026:30083",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30083"
},
{
"name": "RHSA-2026:30084",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:30084"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-9099"
},
{
"name": "RHBZ#2480182",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480182"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-05-20T15:05:54.381Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-06-25T15:58:51.884Z",
"value": "Made public."
}
],
"title": "Keycloak: group-admin escalation to realm-admin",
"workarounds": [
{
"lang": "en",
"value": "To mitigate this issue, restrict network access to the Keycloak Admin REST API to only trusted networks or localhost. This limits the attack surface by preventing unauthorized access to the API endpoints required for exploitation. Consult your network security documentation for specific firewall or network access control configurations. This may impact remote administration capabilities."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-639: Authorization Bypass Through User-Controlled Key"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-9099",
"datePublished": "2026-06-25T16:16:43.604Z",
"dateReserved": "2026-05-20T15:12:25.740Z",
"dateUpdated": "2026-06-26T06:26:57.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-9099",
"date": "2026-06-26",
"epss": "0.00269",
"percentile": "0.18417"
},
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-9099\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-25T20:25:31.782558Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-25T20:25:36.443Z\"}}], \"cna\": {\"title\": \"Keycloak: group-admin escalation to realm-admin\", \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Important\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 7.7, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.6::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.6\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"26.6.4-2\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"rhbk/keycloak-operator-bundle\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.6::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.6\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"26.6-8\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"rhbk/keycloak-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.6::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.6\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"26.6-8\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"rhbk/keycloak-rhel9-operator\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.6::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.6.4\", \"packageName\": \"rhbk/keycloak-rhel9\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-05-20T15:05:54.381Z\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2026-06-25T15:58:51.884Z\", \"value\": \"Made public.\"}], \"datePublic\": \"2026-06-25T15:58:51.884Z\", \"references\": [{\"url\": \"https://access.redhat.com/errata/RHSA-2026:30083\", \"name\": \"RHSA-2026:30083\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:30084\", \"name\": \"RHSA-2026:30084\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/security/cve/CVE-2026-9099\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2480182\", \"name\": \"RHBZ#2480182\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"To mitigate this issue, restrict network access to the Keycloak Admin REST API to only trusted networks or localhost. This limits the attack surface by preventing unauthorized access to the API endpoints required for exploitation. Consult your network security documentation for specific firewall or network access control configurations. This may impact remote administration capabilities.\"}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group.\\n\\nBecause group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator\u0027s password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"Authorization Bypass Through User-Controlled Key\"}]}], \"providerMetadata\": {\"orgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"shortName\": \"redhat\", \"dateUpdated\": \"2026-06-25T20:56:59.876Z\"}, \"x_redhatCweChain\": \"CWE-639: Authorization Bypass Through User-Controlled Key\"}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-9099\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-25T20:56:59.876Z\", \"dateReserved\": \"2026-05-20T15:12:25.740Z\", \"assignerOrgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"datePublished\": \"2026-06-25T16:16:43.604Z\", \"assignerShortName\": \"redhat\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
GHSA-RMCJ-82CR-27RX
Vulnerability from github – Published: 2026-06-25 18:30 – Updated: 2026-06-26 09:30
VLAI
Details
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group.
Because group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.
Severity
7.7 (High)
{
"affected": [],
"aliases": [
"CVE-2026-9099"
],
"database_specific": {
"cwe_ids": [
"CWE-639"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-25T17:17:03Z",
"severity": "HIGH"
},
"details": "A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group.\n\nBecause group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator\u0027s password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.",
"id": "GHSA-rmcj-82cr-27rx",
"modified": "2026-06-26T09:30:46Z",
"published": "2026-06-25T18:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9099"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30083"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:30084"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-9099"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480182"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
RHSA-2026:30049
Vulnerability from csaf_redhat - Published: 2026-06-25 17:36 - Updated: 2026-06-26 06:46Summary
Red Hat Security Advisory: Red Hat build of Keycloak 26.4.13 Security Update
Severity
Important
Notes
Topic: New Red Hat build of Keycloak 26.4.13 packages are available from the Customer Portal
Details: Red Hat build of Keycloak 26.4.13 is a standalone server, based on
the Keycloak project, that provides authentication and
standards-based single sign-on capabilities for web and mobile
applications.
Security fixes:
* Information disclosure via CORS header injection due to unvalidated JWT azp claim (CVE-2026-37977)
* Server-Side Request Forgery via OIDC token endpoint manipulation (CVE-2026-4874)
* eclipse-vertx/vert.x:Denial of Service via TLS handshake with wildcard server name (CVE-2026-6860)
* Improper Access Control on Keycloak Server when the account Account API feature is disabled (CVE-2026-7500)
* Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation (CVE-2026-8830)
* Security flaw in org.keycloak/keycloak-services (CVE-2026-8922)
* Information disclosure through arbitrary filesystem path probing (CVE-2026-9083)
* Cross-site scripting (XSS) via case-insensitive URI validation bypass (CVE-2026-9086)
* Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login (CVE-2026-9087)
* Information disclosure due to user profile permission bypass (CVE-2026-9088)
* Group-Admin Escalation to Realm-Admin (CVE-2026-9099)
* Privilege escalation due to oversized subject_token JWT (CVE-2026-9704)
* Attacker can re-enable and take over disabled clients via Registration Access Token (CVE-2026-9705)
* Organization Data Leak After Feature Disabled in Keycloak (CVE-2026-9791)
* Security restriction bypass allows unauthorized ROPC token acquisition (CVE-2026-9792)
* Information disclosure via SAML ECP endpoint (CVE-2026-9794)
* Privilege escalation via improper scope mapping enforcement (CVE-2026-9795)
* Unauthorized access to resources via UMA permission ticket bypass (CVE-2026-9799)
* Authorization bypass via incorrect URI comparison (CVE-2026-9800)
* Denial of Service via malformed LDAP password policy response (CVE-2026-9801)
* Unauthorized account access via replayed refresh tokens after cluster restart (CVE-2026-9802)
* Denial of Service via malformed Authorization header (CVE-2026-9803)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure.
CWE-918 - Server-Side Request Forgery (SSRF)Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.13
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A flaw was found in eclipse-vertx/vert.x. A remote attacker can exploit this vulnerability by performing a Transport Layer Security (TLS) handshake and presenting a server name extension with a server wildcard name. This can lead to a denial of service (DoS) condition, impacting the availability of the affected system.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.13
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.
5.4 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.13
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that the newly created credential's parameters, such as public key algorithms, match the realm's configured WebAuthn policies. This could lead to the creation of credentials that do not adhere to administrative security requirements, potentially weakening the overall security posture of the system by allowing non-compliant authentication methods.
4.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.13
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.
5.4 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.13
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining which files exist and are readable by the Keycloak process. This information disclosure could be used to identify high-value targets for follow-on attacks.
4.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.13
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.13
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account.
6.4 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.13
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.
CWE-1220 - Insufficient Granularity of Access ControlAffected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.13
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group. Because group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.
7.7 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.13
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to fall back to client credentials. This allows the user to gain the permissions of the client's service account, leading to privilege escalation.
6.8 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.13
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker to reset the client's secret and potentially regain privileged API access. The primary impact includes unauthorized information disclosure and potential integrity compromise.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.13
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata to be disclosed in tokens, even after an administrator has explicitly disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers.
4.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.13
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant` executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.13
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs. By observing distinct faultstrings in the responses, the attacker can determine the client's protocol type, leading to information disclosure.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.13
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user's authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.13
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. This allows the user to gain unauthorized access to all resources of that type within the same resource server, even if they do not have a ticket for those specific resources. This vulnerability requires the resource server to be configured in PERMISSIVE policy enforcement mode and affects typed resources with ownerManagedAccess enabled, where no explicit policy protects the resource type. The primary consequence is unauthorized information disclosure or modification of resources.
4.6 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.13
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.13
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password policy response during a password authentication request, the attacker can trigger an OutOfMemoryError. This causes the Keycloak Java Virtual Machine (JVM) to terminate, leading to a denial of service (DoS) for all realms on the affected node.
4.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.13
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim's account, potentially leading to information disclosure or privilege escalation.
6.8 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.13
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authorization: Bearer' header to any client registration endpoint. This can lead to an ArrayIndexOutOfBoundsException, causing the server to return an HTTP 500 error and resulting in a Denial of Service (DoS) for the affected service.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.13
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in Keycloak's User-Managed Access (UMA) token endpoint. This flaw occurs because the `azp` claim from a client-supplied JSON Web Token (JWT) is used to set the `Access-Control-Allow-Origin` header before the JWT signature is validated. When a specially crafted JWT with an attacker-controlled `azp` value is processed, this value is reflected as the CORS origin, even if the grant is later rejected. This can lead to the exposure of low-sensitivity information from authorization server error responses, weakening origin isolation, but only when a target client is misconfigured with `webOrigins: ["*"]`.
CWE-346 - Origin Validation ErrorAffected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.13
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
|
Threats
Impact
Low
References
94 references
Acknowledgments
Independent Security Researcher
Evan Hendra
Evan Hendra
RedHat
Martin Bartoš
Joy Gilbert
Reynaldo Immanuel
AxiomCode
Swapnil Paliwal & Security Team
saku0512
Hadley So
Filip Jovanov (PegasusMKD)
Qiulin Deng
Muhammed Hussein
Asaad Mostafa
Andrej Tomci
Omaroo Baniessa
Bas Levering
Seongkuk Park
Gyeongpyo Son
Mustafa Çetin
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New Red Hat build of Keycloak 26.4.13 packages are available from the Customer Portal",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat build of Keycloak 26.4.13 is a standalone server, based on\nthe Keycloak project, that provides authentication and\nstandards-based single sign-on capabilities for web and mobile\napplications.\n\nSecurity fixes:\n* Information disclosure via CORS header injection due to unvalidated JWT azp claim (CVE-2026-37977)\n* Server-Side Request Forgery via OIDC token endpoint manipulation (CVE-2026-4874)\n* eclipse-vertx/vert.x:Denial of Service via TLS handshake with wildcard server name (CVE-2026-6860)\n* Improper Access Control on Keycloak Server when the account Account API feature is disabled (CVE-2026-7500)\n* Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation (CVE-2026-8830)\n* Security flaw in org.keycloak/keycloak-services (CVE-2026-8922)\n* Information disclosure through arbitrary filesystem path probing (CVE-2026-9083)\n* Cross-site scripting (XSS) via case-insensitive URI validation bypass (CVE-2026-9086)\n* Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login (CVE-2026-9087)\n* Information disclosure due to user profile permission bypass (CVE-2026-9088)\n* Group-Admin Escalation to Realm-Admin (CVE-2026-9099)\n* Privilege escalation due to oversized subject_token JWT (CVE-2026-9704)\n* Attacker can re-enable and take over disabled clients via Registration Access Token (CVE-2026-9705)\n* Organization Data Leak After Feature Disabled in Keycloak (CVE-2026-9791)\n* Security restriction bypass allows unauthorized ROPC token acquisition (CVE-2026-9792)\n* Information disclosure via SAML ECP endpoint (CVE-2026-9794)\n* Privilege escalation via improper scope mapping enforcement (CVE-2026-9795)\n* Unauthorized access to resources via UMA permission ticket bypass (CVE-2026-9799)\n* Authorization bypass via incorrect URI comparison (CVE-2026-9800)\n* Denial of Service via malformed LDAP password policy response (CVE-2026-9801)\n* Unauthorized account access via replayed refresh tokens after cluster restart (CVE-2026-9802)\n* Denial of Service via malformed Authorization header (CVE-2026-9803)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:30049",
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_30049.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Keycloak 26.4.13 Security Update",
"tracking": {
"current_release_date": "2026-06-26T06:46:45+00:00",
"generator": {
"date": "2026-06-26T06:46:45+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.2.5"
}
},
"id": "RHSA-2026:30049",
"initial_release_date": "2026-06-25T17:36:24+00:00",
"revision_history": [
{
"date": "2026-06-25T17:36:24+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-25T17:36:24+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-26T06:46:45+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Keycloak 26.4.13",
"product": {
"name": "Red Hat build of Keycloak 26.4.13",
"product_id": "Red Hat build of Keycloak 26.4.13",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:build_keycloak:26.4::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Keycloak"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Evan Hendra"
],
"organization": "Independent Security Researcher"
}
],
"cve": "CVE-2026-4874",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2026-03-26T05:51:10.233928+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2451611"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server\u2019s network context, potentially probing internal networks or internal APIs, leading to information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: Keycloak: Server-Side Request Forgery via OIDC token endpoint manipulation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw allows an authenticated attacker to perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This vulnerability is exploitable when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder, enabling the attacker to probe internal networks from the Keycloak server\u0027s context. Exploitation requires valid user credentials and a logout event.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.13"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-4874"
},
{
"category": "external",
"summary": "RHBZ#2451611",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451611"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-4874",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4874"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-4874",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4874"
}
],
"release_date": "2026-03-26T05:56:03.440000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:36:24+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: Keycloak: Server-Side Request Forgery via OIDC token endpoint manipulation"
},
{
"cve": "CVE-2026-6860",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-05-06T10:01:43.929832+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2466990"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in eclipse-vertx/vert.x. A remote attacker can exploit this vulnerability by performing a Transport Layer Security (TLS) handshake and presenting a server name extension with a server wildcard name. This can lead to a denial of service (DoS) condition, impacting the availability of the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "eclipse-vertx/vert.x: eclipse-vertx/vert.x: Denial of Service via TLS handshake with wildcard server name",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw is rated as Moderate because a remote attacker can trigger a denial of service in Red Hat products that use `eclipse-vertx/vert.x` and are configured with TLS wildcard server names. Exploitation occurs during the TLS handshake, impacting service availability without affecting data confidentiality or integrity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.13"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-6860"
},
{
"category": "external",
"summary": "RHBZ#2466990",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466990"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-6860",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6860"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-6860",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6860"
},
{
"category": "external",
"summary": "https://github.com/eclipse-vertx/vert.x/pull/6102",
"url": "https://github.com/eclipse-vertx/vert.x/pull/6102"
},
{
"category": "external",
"summary": "https://github.com/eclipse-vertx/vert.x/security/advisories/GHSA-3g76-f9xq-8vp6",
"url": "https://github.com/eclipse-vertx/vert.x/security/advisories/GHSA-3g76-f9xq-8vp6"
},
{
"category": "external",
"summary": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/381",
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/381"
}
],
"release_date": "2026-05-06T09:55:12.531000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:36:24+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "eclipse-vertx/vert.x: eclipse-vertx/vert.x: Denial of Service via TLS handshake with wildcard server name"
},
{
"acknowledgments": [
{
"names": [
"Evan Hendra"
]
}
],
"cve": "CVE-2026-7500",
"cwe": {
"id": "CWE-425",
"name": "Direct Request (\u0027Forced Browsing\u0027)"
},
"discovery_date": "2026-04-30T14:31:57.661264+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2464126"
}
],
"notes": [
{
"category": "description",
"text": "When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional \u2014 including both read and write operations \u2014 because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak.keycloak-services: Improper Access Control on Keycloak Server when the account Account API feature is disabled",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate impact flaw in Keycloak allows authenticated users to bypass the intended disablement of the account and account-api features when Keycloak is started with `--features-disabled=account,account-api`. This bypass enables unauthorized read and write operations on specific account endpoints, despite the configuration aiming to restrict such access.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.13"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-7500"
},
{
"category": "external",
"summary": "RHBZ#2464126",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464126"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-7500",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7500"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-7500",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7500"
}
],
"release_date": "2026-04-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:36:24+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"category": "workaround",
"details": "To reduce the attack surface, restrict network access to the Keycloak server\u0027s administration and API endpoints to trusted networks or hosts. This limits the ability of unauthorized users to interact with the server and potentially exploit this improper access control vulnerability. If the Keycloak service is reloaded or restarted, ensure that firewall rules or network access controls remain in effect.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.keycloak.keycloak-services: Improper Access Control on Keycloak Server when the account Account API feature is disabled"
},
{
"acknowledgments": [
{
"names": [
"Martin Barto\u0161"
],
"organization": "RedHat"
}
],
"cve": "CVE-2026-8830",
"cwe": {
"id": "CWE-603",
"name": "Use of Client-Side Authentication"
},
"discovery_date": "2026-05-18T13:09:00.257429+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2479565"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that the newly created credential\u0027s parameters, such as public key algorithms, match the realm\u0027s configured WebAuthn policies. This could lead to the creation of credentials that do not adhere to administrative security requirements, potentially weakening the overall security posture of the system by allowing non-compliant authentication methods.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: org.keycloak/keycloak-services: Keycloak: Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A Moderate security flaw was found in Keycloak\u0027s WebAuthn credential registration process. This issue allows an authenticated attacker to bypass configured WebAuthn policies, such as algorithm requirements or user verification, by manipulating client-side JavaScript during registration. This bypass could lead to the registration of credentials that do not meet the intended security standards, potentially weakening the overall authentication posture.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.13"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-8830"
},
{
"category": "external",
"summary": "RHBZ#2479565",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2479565"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-8830",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-8830"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-8830",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8830"
}
],
"release_date": "2026-05-19T05:00:04.741000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:36:24+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: org.keycloak/keycloak-services: Keycloak: Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation"
},
{
"acknowledgments": [
{
"names": [
"Joy Gilbert",
"Reynaldo Immanuel"
]
}
],
"cve": "CVE-2026-8922",
"cwe": {
"id": "CWE-303",
"name": "Incorrect Implementation of Authentication Algorithm"
},
"discovery_date": "2026-05-18T14:50:44.323413+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2479586"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak\u0027s OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak/keycloak-services: keycloak: org.keycloak.protocol.oidc: Security flaw in org.keycloak/keycloak-services",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate impact flaw in Red Hat Build of Keycloak allows revoked OpenID Connect (OIDC) tokens to remain active due to a failure in honoring realm-level revocation policies when client-level `notBefore` values are also configured. This occurs because the client-level setting can interfere with the intended realm-level revocation, leading to a temporary bypass of security controls.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.13"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-8922"
},
{
"category": "external",
"summary": "RHBZ#2479586",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2479586"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-8922",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-8922"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-8922",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8922"
}
],
"release_date": "2026-05-19T06:22:56.138000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:36:24+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.keycloak/keycloak-services: keycloak: org.keycloak.protocol.oidc: Security flaw in org.keycloak/keycloak-services"
},
{
"acknowledgments": [
{
"names": [
"Swapnil Paliwal \u0026 Security Team"
],
"organization": "AxiomCode"
}
],
"cve": "CVE-2026-9083",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-05-20T14:11:24.606000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480168"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A realm administrator with the \"manage-realm\" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining which files exist and are readable by the Keycloak process. This information disclosure could be used to identify high-value targets for follow-on attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Information disclosure through arbitrary filesystem path probing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Medium: This flaw in Keycloak allows a highly privileged realm administrator with the \"manage-realm\" role to perform arbitrary filesystem path probing. By submitting a crafted keystore path, an authenticated attacker can determine the existence and readability of files on the Keycloak server, potentially identifying high-value targets for further attacks. Exploitation requires an attacker to possess the \"manage-realm\" role, which is a high-level administrative permission.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.13"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9083"
},
{
"category": "external",
"summary": "RHBZ#2480168",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480168"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9083",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9083"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9083",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9083"
}
],
"release_date": "2026-06-25T15:58:16.784000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:36:24+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"category": "workaround",
"details": "Ensure that only highly trusted administrators are granted the \"manage-realm\" role within Keycloak. This role provides extensive administrative privileges, including the ability to exploit this vulnerability for filesystem probing. Regularly review and audit users assigned to this role to minimize the attack surface.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Information disclosure through arbitrary filesystem path probing"
},
{
"acknowledgments": [
{
"names": [
"saku0512"
]
}
],
"cve": "CVE-2026-9086",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-05-20T14:43:55.195000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480170"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Cross-site scripting (XSS) via case-insensitive URI validation bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw is rated as High. Keycloak\u0027s client URI validation is vulnerable to a case-insensitivity issue, allowing attackers to bypass scheme blocklists by using mixed-case `javascript:` or `data:` URIs. This can lead to cross-site scripting (XSS) in the Keycloak origin when a victim interacts with a crafted link, such as during the logout flow. Exploitation requires an authenticated administrator with `manage-client` privileges or access to client registration endpoints, and user interaction.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.13"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9086"
},
{
"category": "external",
"summary": "RHBZ#2480170",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480170"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9086",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9086"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9086",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9086"
}
],
"release_date": "2026-06-25T15:58:33.359000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:36:24+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, restrict the ability to register new clients and manage existing client configurations. If Dynamic Client Registration is not required, disable it in Keycloak\u0027s Realm Settings under Client Registration Policies. If Dynamic Client Registration is necessary, ensure that policies are strictly configured to prevent anonymous client registration and require initial access tokens for all client registrations. Additionally, limit the `manage-client` role to only trusted administrators. Changes to Keycloak configuration may require a service restart or redeployment to take effect.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak: Cross-site scripting (XSS) via case-insensitive URI validation bypass"
},
{
"cve": "CVE-2026-9087",
"cwe": {
"id": "CWE-639",
"name": "Authorization Bypass Through User-Controlled Key"
},
"discovery_date": "2026-05-20T14:53:02.458000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480172"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId,\nidpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim\u0027s local account.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Important: A flaw in Keycloak\u0027s cross-session email verification allows an attacker to gain persistent access to a victim\u0027s local account. This occurs when an attacker controls an upstream identity provider account sharing an email with the victim, and the victim is actively linking their account while email verification is enabled and the identity provider is configured with `trustEmail=false`. The attacker can then consume the verification proof, linking their account to the victim\u0027s.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.13"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9087"
},
{
"category": "external",
"summary": "RHBZ#2480172",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480172"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9087",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9087"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9087",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9087"
}
],
"release_date": "2026-05-20T14:53:44.238000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:36:24+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"category": "workaround",
"details": "To mitigate this issue, configure the affected identity provider to set `trustEmail=true`. This ensures that Keycloak trusts the email address provided by the upstream identity provider, bypassing the vulnerable verification flow. This mitigation should only be applied if the upstream identity provider is fully trusted to verify email addresses and prevent malicious account creation with existing email addresses. Configuration changes may require a Keycloak service restart or reload to take effect.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login"
},
{
"acknowledgments": [
{
"names": [
"Hadley So"
]
}
],
"cve": "CVE-2026-9088",
"cwe": {
"id": "CWE-1220",
"name": "Insufficient Granularity of Access Control"
},
"discovery_date": "2026-05-20T15:01:25.568000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480179"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Information disclosure due to user profile permission bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Low: A flaw in Keycloak allows administrators with delegated access to read group memberships and users to bypass user profile permissions. This enables the viewing of user attributes that are configured to be denied, impacting data confidentiality for specific administrative roles.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.13"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9088"
},
{
"category": "external",
"summary": "RHBZ#2480179",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480179"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9088",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9088"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9088",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9088"
}
],
"release_date": "2026-06-05T07:45:40.116000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:36:24+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak: Keycloak: Information disclosure due to user profile permission bypass"
},
{
"cve": "CVE-2026-9099",
"cwe": {
"id": "CWE-639",
"name": "Authorization Bypass Through User-Controlled Key"
},
"discovery_date": "2026-05-20T15:05:54.381000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480182"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group.\n\nBecause group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator\u0027s password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Group-Admin Escalation to Realm-Admin",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated as High impact. When Fine-Grained Admin Permissions (FGAPv2) are enabled in Keycloak, a delegated administrator with specific `manage-members` permissions on a low-privilege group can bypass authorization checks to reparent any other group, including those with `realm-admin` roles. This allows the attacker to reset passwords of members in the stolen group, leading to a full realm takeover.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.13"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9099"
},
{
"category": "external",
"summary": "RHBZ#2480182",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480182"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9099"
}
],
"release_date": "2026-06-25T15:58:51.884000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:36:24+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"category": "workaround",
"details": "To mitigate this issue, restrict network access to the Keycloak Admin REST API to only trusted networks or localhost. This limits the attack surface by preventing unauthorized access to the API endpoints required for exploitation. Consult your network security documentation for specific firewall or network access control configurations. This may impact remote administration capabilities.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Group-Admin Escalation to Realm-Admin"
},
{
"acknowledgments": [
{
"names": [
"Filip Jovanov (PegasusMKD)"
]
}
],
"cve": "CVE-2026-9704",
"cwe": {
"id": "CWE-1284",
"name": "Improper Validation of Specified Quantity in Input"
},
"discovery_date": "2026-05-27T12:27:13.702000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2481877"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to fall back to client credentials. This allows the user to gain the permissions of the client\u0027s service account, leading to privilege escalation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Privilege escalation due to oversized subject_token JWT",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate flaw in Keycloak allows an authenticated, low-privileged user to escalate privileges. By submitting an oversized `subject_token` JWT to the TokenEndpoint, the system defaults to client credentials, granting the attacker the client\u0027s service account permissions. This bypass occurs when the token exceeds a 4000-character limit, leading to an unintended privilege gain.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.13"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9704"
},
{
"category": "external",
"summary": "RHBZ#2481877",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481877"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9704",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9704"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9704",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9704"
}
],
"release_date": "2026-05-27T12:45:59.735000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:36:24+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"category": "workaround",
"details": "To prevent the silent dropping of oversized `subject_token` JWTs, configure Keycloak to enforce strict parameter validation. This involves setting the `fail-fast` parameter to `true` for the `TokenEndpoint` configuration, which will cause requests with oversized parameters to be rejected explicitly rather than silently processed with reduced privileges. Consult Keycloak documentation for the exact method to modify these settings. A restart of the Keycloak service may be necessary for the changes to apply.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Privilege escalation due to oversized subject_token JWT"
},
{
"acknowledgments": [
{
"names": [
"Qiulin Deng"
]
}
],
"cve": "CVE-2026-9705",
"cwe": {
"id": "CWE-613",
"name": "Insufficient Session Expiration"
},
"discovery_date": "2026-05-27T12:42:28.395000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2481878"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker to reset the client\u0027s secret and potentially regain privileged API access. The primary impact includes unauthorized information disclosure and potential integrity compromise.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Attacker can re-enable and take over disabled clients via Registration Access Token",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A Moderate flaw was found in Keycloak where a disabled client can be re-enabled by an attacker who retains a Registration Access Token (RAT) from a prior legitimate client registration. This allows the attacker to bypass the administrator\u0027s explicit intent to disable the client, reset its secret, and restore OAuth client_credentials capability, potentially leading to unauthorized access to resources.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.13"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9705"
},
{
"category": "external",
"summary": "RHBZ#2481878",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481878"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9705",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9705"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9705",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9705"
}
],
"release_date": "2026-06-25T15:59:03.780000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:36:24+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"category": "workaround",
"details": "To mitigate this issue, restrict network access to the Keycloak Dynamic Client Registration endpoint. Configure network firewalls to allow connections only from trusted hosts or networks that legitimately require access to this functionality. This limits the exposure of the vulnerable endpoint to unauthorized access attempts.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Attacker can re-enable and take over disabled clients via Registration Access Token"
},
{
"acknowledgments": [
{
"names": [
"Evan Hendra"
],
"organization": "Independent Security Researcher"
}
],
"cve": "CVE-2026-9791",
"cwe": {
"id": "CWE-863",
"name": "Incorrect Authorization"
},
"discovery_date": "2026-05-28T03:06:33+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482458"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the \u0027organization\u0027 scope. This allows organization metadata to be disclosed in tokens, even after an administrator has explicitly disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak-rhel9: Organization Data Leak After Feature Disabled in Keycloak",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Keycloak fails to enforce the disabled state of the Organizations feature on user-facing APIs, allowing authenticated users to retrieve organization membership data and obtain tokens with organization claims even after an administrator has disabled the feature at the realm level.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.13"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9791"
},
{
"category": "external",
"summary": "RHBZ#2482458",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482458"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9791",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9791"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9791",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9791"
}
],
"release_date": "2026-05-28T03:08:53.319000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:36:24+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"category": "workaround",
"details": "Administrators should verify that disabling the Organizations feature properly blocks all organization-related functionality. Consider implementing additional access controls or removing organization memberships before disabling the feature.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak-rhel9: Organization Data Leak After Feature Disabled in Keycloak"
},
{
"acknowledgments": [
{
"names": [
"Evan Hendra"
],
"organization": "Independent Security Researcher"
}
],
"cve": "CVE-2026-9792",
"cwe": {
"id": "CWE-280",
"name": "Improper Handling of Insufficient Permissions or Privileges"
},
"discovery_date": "2026-05-28T03:09:09.710000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482459"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant` executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Security restriction bypass allows unauthorized ROPC token acquisition",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Medium severity flaw in Keycloak allows client policies designed to reject Resource Owner Password Credentials (ROPC) grants to be bypassed. When specific condition providers (client-type, client-roles, client-attributes, or client-scopes) are used, clients can obtain tokens via ROPC despite explicit policy configuration to block such requests. This impacts Keycloak deployments where administrators rely on these policies to enforce FAPI 2.0 compliance and prevent credential exposure.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.13"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9792"
},
{
"category": "external",
"summary": "RHBZ#2482459",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482459"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9792",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9792"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9792",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9792"
}
],
"release_date": "2026-05-28T03:10:21.828000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:36:24+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"category": "workaround",
"details": "To mitigate this issue, Keycloak administrators should review and adjust client policies designed to reject Resource Owner Password Credentials (ROPC) grants. Avoid using the `client-type`, `client-roles`, `client-attributes`, or `client-scopes` condition providers in conjunction with the `reject-ropc-grant` executor. Instead, configure policies to use the `grant-type` condition provider for ROPC rejection. A restart or reload of the Keycloak service may be required for these policy changes to take full effect.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Security restriction bypass allows unauthorized ROPC token acquisition"
},
{
"acknowledgments": [
{
"names": [
"Muhammed Hussein",
"Asaad Mostafa"
]
}
],
"cve": "CVE-2026-9794",
"cwe": {
"id": "CWE-209",
"name": "Generation of Error Message Containing Sensitive Information"
},
"discovery_date": "2026-05-28T03:14:55.617000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482461"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs. By observing distinct faultstrings in the responses, the attacker can determine the client\u0027s protocol type, leading to information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Information disclosure via SAML ECP endpoint",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate-severity information disclosure flaw in Keycloak allows an unauthenticated, remote attacker to enumerate client protocol types. By sending specially crafted SOAP requests to the SAML ECP endpoint and analyzing the resulting faultstrings, an attacker can discern the protocol associated with different client IDs, aiding in further targeted attacks.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.13"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9794"
},
{
"category": "external",
"summary": "RHBZ#2482461",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482461"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9794",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9794"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9794",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9794"
}
],
"release_date": "2026-05-28T03:15:43.066000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:36:24+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Information disclosure via SAML ECP endpoint"
},
{
"acknowledgments": [
{
"names": [
"Andrej Tomci"
]
}
],
"cve": "CVE-2026-9795",
"cwe": {
"id": "CWE-266",
"name": "Incorrect Privilege Assignment"
},
"discovery_date": "2026-05-28T03:15:51.639000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482462"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client\u0027s scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user\u0027s authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Privilege escalation via improper scope mapping enforcement",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important privilege escalation flaw in Keycloak when Fine-Grained Admin Permissions (FGAPv2) are enabled. An attacker with fine-grained client management permissions can bypass role mapping restrictions, allowing them to inject arbitrary realm roles into a client\u0027s scope. Subsequent authentication by a privileged user through the compromised client would then project these injected roles into their token, leading to unauthorized access. Exploitation requires specific administrative preconditions and user interaction.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.13"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9795"
},
{
"category": "external",
"summary": "RHBZ#2482462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482462"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9795",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9795"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9795",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9795"
}
],
"release_date": "2026-05-28T03:16:49.326000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:36:24+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"category": "workaround",
"details": "To mitigate this issue, disable the Fine-Grained Admin Permissions (FGAPv2) feature in Keycloak if it is not strictly required. This can typically be done by setting `adminPermissionsEnabled` to `false` in the realm configuration. Disabling FGAPv2 will prevent the exploitation of this flaw by removing the vulnerable functionality. However, this may impact administrative delegation capabilities within Keycloak. A restart or reload of the Keycloak service may be required for the changes to take effect.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak: Privilege escalation via improper scope mapping enforcement"
},
{
"acknowledgments": [
{
"names": [
"Omaroo Baniessa"
]
}
],
"cve": "CVE-2026-9799",
"cwe": {
"id": "CWE-639",
"name": "Authorization Bypass Through User-Controlled Key"
},
"discovery_date": "2026-05-28T03:53:15.687000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482471"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. This allows the user to gain unauthorized access to all resources of that type within the same resource server, even if they do not have a ticket for those specific resources. This vulnerability requires the resource server to be configured in PERMISSIVE policy enforcement mode and affects typed resources with ownerManagedAccess enabled, where no explicit policy protects the resource type. The primary consequence is unauthorized information disclosure or modification of resources.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Unauthorized access to resources via UMA permission ticket bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A Medium severity flaw exists in Keycloak\u0027s authorization component where a user with a UMA permission ticket for a specific resource type can gain unauthorized access to all resources of that type. This bypass occurs when the resource server is configured with the non-default PERMISSIVE policy enforcement mode, has ownerManagedAccess enabled for typed resources, and lacks a covering policy for the resource type. Exploitation requires an authenticated user with an existing permission ticket, limiting its impact to specific, non-default Keycloak deployments.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.13"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9799"
},
{
"category": "external",
"summary": "RHBZ#2482471",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482471"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9799",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9799"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9799",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9799"
}
],
"release_date": "2026-05-19T12:34:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:36:24+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"category": "workaround",
"details": "To mitigate this issue, ensure that the Keycloak client\u0027s policy enforcement mode is set to ENFORCING instead of PERMISSIVE. The PERMISSIVE mode is a non-default configuration that enables the vulnerability. Changing this setting will prevent the unauthorized access to resources of the same type. Consult Keycloak documentation for specific instructions on configuring policy enforcement mode for your client. This change may require a restart or reload of the Keycloak service to take effect and could impact existing authorization policies if not carefully managed.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Unauthorized access to resources via UMA permission ticket bypass"
},
{
"acknowledgments": [
{
"names": [
"Bas Levering"
]
}
],
"cve": "CVE-2026-9800",
"cwe": {
"id": "CWE-1025",
"name": "Comparison Using Wrong Factors"
},
"discovery_date": "2026-05-28T03:57:56.111000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482472"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak Policy Enforcer: Authorization bypass via incorrect URI comparison",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.13"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9800"
},
{
"category": "external",
"summary": "RHBZ#2482472",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482472"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9800",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9800"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9800",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9800"
}
],
"release_date": "2026-05-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:36:24+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak Policy Enforcer: Authorization bypass via incorrect URI comparison"
},
{
"acknowledgments": [
{
"names": [
"Seongkuk Park"
]
}
],
"cve": "CVE-2026-9801",
"cwe": {
"id": "CWE-1284",
"name": "Improper Validation of Specified Quantity in Input"
},
"discovery_date": "2026-05-28T04:00:39.339000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482473"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password policy response during a password authentication request, the attacker can trigger an OutOfMemoryError. This causes the Keycloak Java Virtual Machine (JVM) to terminate, leading to a denial of service (DoS) for all realms on the affected node.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Denial of Service via malformed LDAP password policy response",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Keycloak presents a denial-of-service risk when an LDAP user-storage provider is configured. A highly privileged attacker, such as a realm administrator or through a compromised LDAP connection, can send a malformed LDAP password-policy response. This triggers an OutOfMemoryError, causing the Keycloak JVM to terminate and resulting in a complete outage of the node.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.13"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9801"
},
{
"category": "external",
"summary": "RHBZ#2482473",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482473"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9801",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9801"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9801",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9801"
}
],
"release_date": "2026-05-28T04:18:25.872000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:36:24+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, ensure that Keycloak\u0027s LDAP user-storage providers are configured to connect only to trusted and secure LDAP servers. Avoid configuring LDAP federation with unverified or potentially malicious LDAP endpoints. Additionally, always use TLS for LDAP connections to prevent Man-in-the-Middle attacks. If an upstream LDAP server is compromised, it should be isolated and secured immediately.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Denial of Service via malformed LDAP password policy response"
},
{
"acknowledgments": [
{
"names": [
"Gyeongpyo Son"
]
}
],
"cve": "CVE-2026-9802",
"cwe": {
"id": "CWE-613",
"name": "Insufficient Session Expiration"
},
"discovery_date": "2026-05-28T04:01:03.837000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482467"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user\u0027s refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim\u0027s account, potentially leading to information disclosure or privilege escalation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Unauthorized account access via replayed refresh tokens after cluster restart",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A flaw in Keycloak, when configured with `revokeRefreshToken=true` and persistent session storage, allows a remote attacker to regain unauthorized access. Following a full cluster restart, a previously revoked refresh token, if captured by an attacker, can be replayed to bypass security checks. This could lead to unauthorized account access, potentially resulting in information disclosure or privilege escalation.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.13"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9802"
},
{
"category": "external",
"summary": "RHBZ#2482467",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482467"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9802",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9802"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9802",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9802"
}
],
"release_date": "2026-05-28T04:10:26.145000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:36:24+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Unauthorized account access via replayed refresh tokens after cluster restart"
},
{
"acknowledgments": [
{
"names": [
"Mustafa \u00c7etin"
]
}
],
"cve": "CVE-2026-9803",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"discovery_date": "2026-05-28T04:02:15.892000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482465"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed \u0027Authorization: Bearer\u0027 header to any client registration endpoint. This can lead to an ArrayIndexOutOfBoundsException, causing the server to return an HTTP 500 error and resulting in a Denial of Service (DoS) for the affected service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Denial of Service via malformed Authorization header",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A Moderate denial of service flaw was found in Keycloak\u0027s client registration endpoints. An unauthenticated attacker can send a specially crafted request with a malformed \u0027Authorization: Bearer\u0027 header, causing an ArrayIndexOutOfBoundsException and an HTTP 500 error. This can lead to a temporary disruption of service for the Keycloak instance.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.13"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9803"
},
{
"category": "external",
"summary": "RHBZ#2482465",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482465"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9803",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9803"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9803",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9803"
}
],
"release_date": "2026-05-28T04:03:01.292000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:36:24+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Denial of Service via malformed Authorization header"
},
{
"cve": "CVE-2026-37977",
"cwe": {
"id": "CWE-346",
"name": "Origin Validation Error"
},
"discovery_date": "2026-04-06T07:49:33.467949+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2455324"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in Keycloak\u0027s User-Managed Access (UMA) token endpoint. This flaw occurs because the `azp` claim from a client-supplied JSON Web Token (JWT) is used to set the `Access-Control-Allow-Origin` header before the JWT signature is validated. When a specially crafted JWT with an attacker-controlled `azp` value is processed, this value is reflected as the CORS origin, even if the grant is later rejected. This can lead to the exposure of low-sensitivity information from authorization server error responses, weakening origin isolation, but only when a target client is misconfigured with `webOrigins: [\"*\"]`.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: org.keycloak.protocol.oidc.grants.ciba: Keycloak: Information disclosure via CORS header injection due to unvalidated JWT azp claim",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Low impact: This vulnerability in Keycloak\u0027s UMA token endpoint allows for CORS header injection when a client is misconfigured with `webOrigins: [\"*\"]`. This can lead to the exposure of low-sensitivity information from authorization server error responses. Exploitation requires a specific client misconfiguration and does not affect default Keycloak installations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.13"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-37977"
},
{
"category": "external",
"summary": "RHBZ#2455324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455324"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-37977",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-37977"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-37977",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-37977"
}
],
"release_date": "2026-04-06T08:34:01.137000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:36:24+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.13"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30049"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.13"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak: org.keycloak.protocol.oidc.grants.ciba: Keycloak: Information disclosure via CORS header injection due to unvalidated JWT azp claim"
}
]
}
RHSA-2026:30050
Vulnerability from csaf_redhat - Published: 2026-06-25 17:40 - Updated: 2026-06-26 06:46Summary
Red Hat Security Advisory: Red Hat build of Keycloak 26.4.13 Images Security Update
Severity
Important
Notes
Topic: New images are available for Red Hat build of Keycloak 26.4.13 and Red Hat build of Keycloak 26.4.13 Operator, running on OpenShift Container Platform
Details: Red Hat build of Keycloak is an integrated sign-on solution,
available as a Red Hat JBoss Middleware for OpenShift containerized
image. The Red Hat build of Keycloak for OpenShift image provides
an authentication server that you can use to log in centrally, log
out, and register. You can also manage user accounts for web
applications, mobile applications, and RESTful web services.
Red Hat build of Keycloak Operator for OpenShift simplifies
deployment and management of Keycloak 26.4.13 clusters.
This erratum releases new images for Red Hat build of Keycloak
26.4.13 for use within the OpenShift Container Platform cloud
computing Platform-as-a-Service (PaaS) for on-premise or private
cloud deployments, aligning with the standalone product release.
Security fixes:
* Information disclosure via CORS header injection due to unvalidated JWT azp claim (CVE-2026-37977)
* Server-Side Request Forgery via OIDC token endpoint manipulation (CVE-2026-4874)
* eclipse-vertx/vert.x:Denial of Service via TLS handshake with wildcard server name (CVE-2026-6860)
* Improper Access Control on Keycloak Server when the account Account API feature is disabled (CVE-2026-7500)
* Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation (CVE-2026-8830)
* Security flaw in org.keycloak/keycloak-services (CVE-2026-8922)
* Information disclosure through arbitrary filesystem path probing (CVE-2026-9083)
* Cross-site scripting (XSS) via case-insensitive URI validation bypass (CVE-2026-9086)
* Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login (CVE-2026-9087)
* Information disclosure due to user profile permission bypass (CVE-2026-9088)
* Group-Admin Escalation to Realm-Admin (CVE-2026-9099)
* Privilege escalation due to oversized subject_token JWT (CVE-2026-9704)
* Attacker can re-enable and take over disabled clients via Registration Access Token (CVE-2026-9705)
* Organization Data Leak After Feature Disabled in Keycloak (CVE-2026-9791)
* Security restriction bypass allows unauthorized ROPC token acquisition (CVE-2026-9792)
* Information disclosure via SAML ECP endpoint (CVE-2026-9794)
* Privilege escalation via improper scope mapping enforcement (CVE-2026-9795)
* Unauthorized access to resources via UMA permission ticket bypass (CVE-2026-9799)
* Authorization bypass via incorrect URI comparison (CVE-2026-9800)
* Denial of Service via malformed LDAP password policy response (CVE-2026-9801)
* Unauthorized account access via replayed refresh tokens after cluster restart (CVE-2026-9802)
* Denial of Service via malformed Authorization header (CVE-2026-9803)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure.
CWE-918 - Server-Side Request Forgery (SSRF)Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A flaw was found in eclipse-vertx/vert.x. A remote attacker can exploit this vulnerability by performing a Transport Layer Security (TLS) handshake and presenting a server name extension with a server wildcard name. This can lead to a denial of service (DoS) condition, impacting the availability of the affected system.
5.3 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.
5.4 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that the newly created credential's parameters, such as public key algorithms, match the realm's configured WebAuthn policies. This could lead to the creation of credentials that do not adhere to administrative security requirements, potentially weakening the overall security posture of the system by allowing non-compliant authentication methods.
4.3 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.
5.4 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining which files exist and are readable by the Keycloak process. This information disclosure could be used to identify high-value targets for follow-on attacks.
4.9 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console.
7.3 (High)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account.
6.4 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.
CWE-1220 - Insufficient Granularity of Access ControlAffected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Low
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group. Because group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.
7.7 (High)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to fall back to client credentials. This allows the user to gain the permissions of the client's service account, leading to privilege escalation.
6.8 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker to reset the client's secret and potentially regain privileged API access. The primary impact includes unauthorized information disclosure and potential integrity compromise.
6.5 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata to be disclosed in tokens, even after an administrator has explicitly disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers.
4.3 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant` executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure.
6.5 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs. By observing distinct faultstrings in the responses, the attacker can determine the client's protocol type, leading to information disclosure.
5.3 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user's authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.
7.3 (High)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. This allows the user to gain unauthorized access to all resources of that type within the same resource server, even if they do not have a ticket for those specific resources. This vulnerability requires the resource server to be configured in PERMISSIVE policy enforcement mode and affects typed resources with ownerManagedAccess enabled, where no explicit policy protects the resource type. The primary consequence is unauthorized information disclosure or modification of resources.
4.6 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources.
8.1 (High)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password policy response during a password authentication request, the attacker can trigger an OutOfMemoryError. This causes the Keycloak Java Virtual Machine (JVM) to terminate, leading to a denial of service (DoS) for all realms on the affected node.
4.9 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim's account, potentially leading to information disclosure or privilege escalation.
6.8 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authorization: Bearer' header to any client registration endpoint. This can lead to an ArrayIndexOutOfBoundsException, causing the server to return an HTTP 500 error and resulting in a Denial of Service (DoS) for the affected service.
5.3 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in Keycloak's User-Managed Access (UMA) token endpoint. This flaw occurs because the `azp` claim from a client-supplied JSON Web Token (JWT) is used to set the `Access-Control-Allow-Origin` header before the JWT signature is validated. When a specially crafted JWT with an attacker-controlled `azp` value is processed, this value is reflected as the CORS origin, even if the grant is later rejected. This can lead to the exposure of low-sensitivity information from authorization server error responses, weakening origin isolation, but only when a target client is misconfigured with `webOrigins: ["*"]`.
CWE-346 - Origin Validation ErrorAffected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x | — |
Vendor Fix
fix
|
Threats
Impact
Low
References
94 references
Acknowledgments
Independent Security Researcher
Evan Hendra
Evan Hendra
RedHat
Martin Bartoš
Joy Gilbert
Reynaldo Immanuel
AxiomCode
Swapnil Paliwal & Security Team
saku0512
Hadley So
Filip Jovanov (PegasusMKD)
Qiulin Deng
Muhammed Hussein
Asaad Mostafa
Andrej Tomci
Omaroo Baniessa
Bas Levering
Seongkuk Park
Gyeongpyo Son
Mustafa Çetin
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New images are available for Red Hat build of Keycloak 26.4.13 and Red Hat build of Keycloak 26.4.13 Operator, running on OpenShift Container Platform",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat build of Keycloak is an integrated sign-on solution,\navailable as a Red Hat JBoss Middleware for OpenShift containerized\nimage. The Red Hat build of Keycloak for OpenShift image provides\nan authentication server that you can use to log in centrally, log\nout, and register. You can also manage user accounts for web\napplications, mobile applications, and RESTful web services.\n\nRed Hat build of Keycloak Operator for OpenShift simplifies\ndeployment and management of Keycloak 26.4.13 clusters.\n\nThis erratum releases new images for Red Hat build of Keycloak\n26.4.13 for use within the OpenShift Container Platform cloud\ncomputing Platform-as-a-Service (PaaS) for on-premise or private\ncloud deployments, aligning with the standalone product release.\n\nSecurity fixes:\n* Information disclosure via CORS header injection due to unvalidated JWT azp claim (CVE-2026-37977)\n* Server-Side Request Forgery via OIDC token endpoint manipulation (CVE-2026-4874)\n* eclipse-vertx/vert.x:Denial of Service via TLS handshake with wildcard server name (CVE-2026-6860)\n* Improper Access Control on Keycloak Server when the account Account API feature is disabled (CVE-2026-7500)\n* Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation (CVE-2026-8830)\n* Security flaw in org.keycloak/keycloak-services (CVE-2026-8922)\n* Information disclosure through arbitrary filesystem path probing (CVE-2026-9083)\n* Cross-site scripting (XSS) via case-insensitive URI validation bypass (CVE-2026-9086)\n* Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login (CVE-2026-9087)\n* Information disclosure due to user profile permission bypass (CVE-2026-9088)\n* Group-Admin Escalation to Realm-Admin (CVE-2026-9099)\n* Privilege escalation due to oversized subject_token JWT (CVE-2026-9704)\n* Attacker can re-enable and take over disabled clients via Registration Access Token (CVE-2026-9705)\n* Organization Data Leak After Feature Disabled in Keycloak (CVE-2026-9791)\n* Security restriction bypass allows unauthorized ROPC token acquisition (CVE-2026-9792)\n* Information disclosure via SAML ECP endpoint (CVE-2026-9794)\n* Privilege escalation via improper scope mapping enforcement (CVE-2026-9795)\n* Unauthorized access to resources via UMA permission ticket bypass (CVE-2026-9799)\n* Authorization bypass via incorrect URI comparison (CVE-2026-9800)\n* Denial of Service via malformed LDAP password policy response (CVE-2026-9801)\n* Unauthorized account access via replayed refresh tokens after cluster restart (CVE-2026-9802)\n* Denial of Service via malformed Authorization header (CVE-2026-9803)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:30050",
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_30050.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Keycloak 26.4.13 Images Security Update",
"tracking": {
"current_release_date": "2026-06-26T06:46:45+00:00",
"generator": {
"date": "2026-06-26T06:46:45+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.2.5"
}
},
"id": "RHSA-2026:30050",
"initial_release_date": "2026-06-25T17:40:47+00:00",
"revision_history": [
{
"date": "2026-06-25T17:40:47+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-25T17:40:47+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-26T06:46:45+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Keycloak 26.4",
"product": {
"name": "Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:build_keycloak:26.4::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Keycloak"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"product_id": "rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66?arch=ppc64le\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.4-19"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f?arch=ppc64le\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.4-19"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"product_id": "rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.4-19"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"product": {
"name": "rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"product_id": "rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-operator-bundle\u0026tag=26.4.13-1"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.4-19"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x",
"product_id": "rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a?arch=s390x\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.4-19"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0?arch=s390x\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.4-19"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"product_id": "rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab?arch=arm64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.4-19"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e?arch=arm64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.4-19"
}
}
}
],
"category": "architecture",
"name": "arm64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64 as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64"
},
"product_reference": "rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64 as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64 as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64 as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64 as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x",
"relates_to_product_reference": "9Base-RHBK-26.4"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Evan Hendra"
],
"organization": "Independent Security Researcher"
}
],
"cve": "CVE-2026-4874",
"cwe": {
"id": "CWE-918",
"name": "Server-Side Request Forgery (SSRF)"
},
"discovery_date": "2026-03-26T05:51:10.233928+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2451611"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server\u2019s network context, potentially probing internal networks or internal APIs, leading to information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: Keycloak: Server-Side Request Forgery via OIDC token endpoint manipulation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw allows an authenticated attacker to perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This vulnerability is exploitable when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder, enabling the attacker to probe internal networks from the Keycloak server\u0027s context. Exploitation requires valid user credentials and a logout event.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-4874"
},
{
"category": "external",
"summary": "RHBZ#2451611",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451611"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-4874",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4874"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-4874",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4874"
}
],
"release_date": "2026-03-26T05:56:03.440000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:40:47+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options don\u0027t meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: Keycloak: Server-Side Request Forgery via OIDC token endpoint manipulation"
},
{
"cve": "CVE-2026-6860",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-05-06T10:01:43.929832+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2466990"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in eclipse-vertx/vert.x. A remote attacker can exploit this vulnerability by performing a Transport Layer Security (TLS) handshake and presenting a server name extension with a server wildcard name. This can lead to a denial of service (DoS) condition, impacting the availability of the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "eclipse-vertx/vert.x: eclipse-vertx/vert.x: Denial of Service via TLS handshake with wildcard server name",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw is rated as Moderate because a remote attacker can trigger a denial of service in Red Hat products that use `eclipse-vertx/vert.x` and are configured with TLS wildcard server names. Exploitation occurs during the TLS handshake, impacting service availability without affecting data confidentiality or integrity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-6860"
},
{
"category": "external",
"summary": "RHBZ#2466990",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466990"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-6860",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6860"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-6860",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6860"
},
{
"category": "external",
"summary": "https://github.com/eclipse-vertx/vert.x/pull/6102",
"url": "https://github.com/eclipse-vertx/vert.x/pull/6102"
},
{
"category": "external",
"summary": "https://github.com/eclipse-vertx/vert.x/security/advisories/GHSA-3g76-f9xq-8vp6",
"url": "https://github.com/eclipse-vertx/vert.x/security/advisories/GHSA-3g76-f9xq-8vp6"
},
{
"category": "external",
"summary": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/381",
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/381"
}
],
"release_date": "2026-05-06T09:55:12.531000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:40:47+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "eclipse-vertx/vert.x: eclipse-vertx/vert.x: Denial of Service via TLS handshake with wildcard server name"
},
{
"acknowledgments": [
{
"names": [
"Evan Hendra"
]
}
],
"cve": "CVE-2026-7500",
"cwe": {
"id": "CWE-425",
"name": "Direct Request (\u0027Forced Browsing\u0027)"
},
"discovery_date": "2026-04-30T14:31:57.661264+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2464126"
}
],
"notes": [
{
"category": "description",
"text": "When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional \u2014 including both read and write operations \u2014 because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak.keycloak-services: Improper Access Control on Keycloak Server when the account Account API feature is disabled",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate impact flaw in Keycloak allows authenticated users to bypass the intended disablement of the account and account-api features when Keycloak is started with `--features-disabled=account,account-api`. This bypass enables unauthorized read and write operations on specific account endpoints, despite the configuration aiming to restrict such access.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-7500"
},
{
"category": "external",
"summary": "RHBZ#2464126",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464126"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-7500",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7500"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-7500",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7500"
}
],
"release_date": "2026-04-30T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:40:47+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"category": "workaround",
"details": "To reduce the attack surface, restrict network access to the Keycloak server\u0027s administration and API endpoints to trusted networks or hosts. This limits the ability of unauthorized users to interact with the server and potentially exploit this improper access control vulnerability. If the Keycloak service is reloaded or restarted, ensure that firewall rules or network access controls remain in effect.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.keycloak.keycloak-services: Improper Access Control on Keycloak Server when the account Account API feature is disabled"
},
{
"acknowledgments": [
{
"names": [
"Martin Barto\u0161"
],
"organization": "RedHat"
}
],
"cve": "CVE-2026-8830",
"cwe": {
"id": "CWE-603",
"name": "Use of Client-Side Authentication"
},
"discovery_date": "2026-05-18T13:09:00.257429+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2479565"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that the newly created credential\u0027s parameters, such as public key algorithms, match the realm\u0027s configured WebAuthn policies. This could lead to the creation of credentials that do not adhere to administrative security requirements, potentially weakening the overall security posture of the system by allowing non-compliant authentication methods.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: org.keycloak/keycloak-services: Keycloak: Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A Moderate security flaw was found in Keycloak\u0027s WebAuthn credential registration process. This issue allows an authenticated attacker to bypass configured WebAuthn policies, such as algorithm requirements or user verification, by manipulating client-side JavaScript during registration. This bypass could lead to the registration of credentials that do not meet the intended security standards, potentially weakening the overall authentication posture.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-8830"
},
{
"category": "external",
"summary": "RHBZ#2479565",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2479565"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-8830",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-8830"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-8830",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8830"
}
],
"release_date": "2026-05-19T05:00:04.741000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:40:47+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: org.keycloak/keycloak-services: Keycloak: Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation"
},
{
"acknowledgments": [
{
"names": [
"Joy Gilbert",
"Reynaldo Immanuel"
]
}
],
"cve": "CVE-2026-8922",
"cwe": {
"id": "CWE-303",
"name": "Incorrect Implementation of Authentication Algorithm"
},
"discovery_date": "2026-05-18T14:50:44.323413+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2479586"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak\u0027s OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially leading to unauthorized access or continued session validity. This could impact the security of systems utilizing Keycloak for identity and access management.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak/keycloak-services: keycloak: org.keycloak.protocol.oidc: Security flaw in org.keycloak/keycloak-services",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate impact flaw in Red Hat Build of Keycloak allows revoked OpenID Connect (OIDC) tokens to remain active due to a failure in honoring realm-level revocation policies when client-level `notBefore` values are also configured. This occurs because the client-level setting can interfere with the intended realm-level revocation, leading to a temporary bypass of security controls.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-8922"
},
{
"category": "external",
"summary": "RHBZ#2479586",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2479586"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-8922",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-8922"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-8922",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8922"
}
],
"release_date": "2026-05-19T06:22:56.138000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:40:47+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "org.keycloak/keycloak-services: keycloak: org.keycloak.protocol.oidc: Security flaw in org.keycloak/keycloak-services"
},
{
"acknowledgments": [
{
"names": [
"Swapnil Paliwal \u0026 Security Team"
],
"organization": "AxiomCode"
}
],
"cve": "CVE-2026-9083",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-05-20T14:11:24.606000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480168"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A realm administrator with the \"manage-realm\" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining which files exist and are readable by the Keycloak process. This information disclosure could be used to identify high-value targets for follow-on attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Information disclosure through arbitrary filesystem path probing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Medium: This flaw in Keycloak allows a highly privileged realm administrator with the \"manage-realm\" role to perform arbitrary filesystem path probing. By submitting a crafted keystore path, an authenticated attacker can determine the existence and readability of files on the Keycloak server, potentially identifying high-value targets for further attacks. Exploitation requires an attacker to possess the \"manage-realm\" role, which is a high-level administrative permission.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9083"
},
{
"category": "external",
"summary": "RHBZ#2480168",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480168"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9083",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9083"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9083",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9083"
}
],
"release_date": "2026-06-25T15:58:16.784000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:40:47+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"category": "workaround",
"details": "Ensure that only highly trusted administrators are granted the \"manage-realm\" role within Keycloak. This role provides extensive administrative privileges, including the ability to exploit this vulnerability for filesystem probing. Regularly review and audit users assigned to this role to minimize the attack surface.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Information disclosure through arbitrary filesystem path probing"
},
{
"acknowledgments": [
{
"names": [
"saku0512"
]
}
],
"cve": "CVE-2026-9086",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-05-20T14:43:55.195000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480170"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Cross-site scripting (XSS) via case-insensitive URI validation bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw is rated as High. Keycloak\u0027s client URI validation is vulnerable to a case-insensitivity issue, allowing attackers to bypass scheme blocklists by using mixed-case `javascript:` or `data:` URIs. This can lead to cross-site scripting (XSS) in the Keycloak origin when a victim interacts with a crafted link, such as during the logout flow. Exploitation requires an authenticated administrator with `manage-client` privileges or access to client registration endpoints, and user interaction.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9086"
},
{
"category": "external",
"summary": "RHBZ#2480170",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480170"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9086",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9086"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9086",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9086"
}
],
"release_date": "2026-06-25T15:58:33.359000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:40:47+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, restrict the ability to register new clients and manage existing client configurations. If Dynamic Client Registration is not required, disable it in Keycloak\u0027s Realm Settings under Client Registration Policies. If Dynamic Client Registration is necessary, ensure that policies are strictly configured to prevent anonymous client registration and require initial access tokens for all client registrations. Additionally, limit the `manage-client` role to only trusted administrators. Changes to Keycloak configuration may require a service restart or redeployment to take effect.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak: Cross-site scripting (XSS) via case-insensitive URI validation bypass"
},
{
"cve": "CVE-2026-9087",
"cwe": {
"id": "CWE-639",
"name": "Authorization Bypass Through User-Controlled Key"
},
"discovery_date": "2026-05-20T14:53:02.458000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480172"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId,\nidpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim\u0027s local account.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Important: A flaw in Keycloak\u0027s cross-session email verification allows an attacker to gain persistent access to a victim\u0027s local account. This occurs when an attacker controls an upstream identity provider account sharing an email with the victim, and the victim is actively linking their account while email verification is enabled and the identity provider is configured with `trustEmail=false`. The attacker can then consume the verification proof, linking their account to the victim\u0027s.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9087"
},
{
"category": "external",
"summary": "RHBZ#2480172",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480172"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9087",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9087"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9087",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9087"
}
],
"release_date": "2026-05-20T14:53:44.238000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:40:47+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"category": "workaround",
"details": "To mitigate this issue, configure the affected identity provider to set `trustEmail=true`. This ensures that Keycloak trusts the email address provided by the upstream identity provider, bypassing the vulnerable verification flow. This mitigation should only be applied if the upstream identity provider is fully trusted to verify email addresses and prevent malicious account creation with existing email addresses. Configuration changes may require a Keycloak service restart or reload to take effect.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login"
},
{
"acknowledgments": [
{
"names": [
"Hadley So"
]
}
],
"cve": "CVE-2026-9088",
"cwe": {
"id": "CWE-1220",
"name": "Insufficient Granularity of Access Control"
},
"discovery_date": "2026-05-20T15:01:25.568000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480179"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied, leading to information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Information disclosure due to user profile permission bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Low: A flaw in Keycloak allows administrators with delegated access to read group memberships and users to bypass user profile permissions. This enables the viewing of user attributes that are configured to be denied, impacting data confidentiality for specific administrative roles.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9088"
},
{
"category": "external",
"summary": "RHBZ#2480179",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480179"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9088",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9088"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9088",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9088"
}
],
"release_date": "2026-06-05T07:45:40.116000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:40:47+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak: Keycloak: Information disclosure due to user profile permission bypass"
},
{
"cve": "CVE-2026-9099",
"cwe": {
"id": "CWE-639",
"name": "Authorization Bypass Through User-Controlled Key"
},
"discovery_date": "2026-05-20T15:05:54.381000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480182"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group.\n\nBecause group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator\u0027s password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Group-Admin Escalation to Realm-Admin",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated as High impact. When Fine-Grained Admin Permissions (FGAPv2) are enabled in Keycloak, a delegated administrator with specific `manage-members` permissions on a low-privilege group can bypass authorization checks to reparent any other group, including those with `realm-admin` roles. This allows the attacker to reset passwords of members in the stolen group, leading to a full realm takeover.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9099"
},
{
"category": "external",
"summary": "RHBZ#2480182",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480182"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9099"
}
],
"release_date": "2026-06-25T15:58:51.884000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:40:47+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"category": "workaround",
"details": "To mitigate this issue, restrict network access to the Keycloak Admin REST API to only trusted networks or localhost. This limits the attack surface by preventing unauthorized access to the API endpoints required for exploitation. Consult your network security documentation for specific firewall or network access control configurations. This may impact remote administration capabilities.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Group-Admin Escalation to Realm-Admin"
},
{
"acknowledgments": [
{
"names": [
"Filip Jovanov (PegasusMKD)"
]
}
],
"cve": "CVE-2026-9704",
"cwe": {
"id": "CWE-1284",
"name": "Improper Validation of Specified Quantity in Input"
},
"discovery_date": "2026-05-27T12:27:13.702000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2481877"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to fall back to client credentials. This allows the user to gain the permissions of the client\u0027s service account, leading to privilege escalation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Privilege escalation due to oversized subject_token JWT",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate flaw in Keycloak allows an authenticated, low-privileged user to escalate privileges. By submitting an oversized `subject_token` JWT to the TokenEndpoint, the system defaults to client credentials, granting the attacker the client\u0027s service account permissions. This bypass occurs when the token exceeds a 4000-character limit, leading to an unintended privilege gain.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9704"
},
{
"category": "external",
"summary": "RHBZ#2481877",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481877"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9704",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9704"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9704",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9704"
}
],
"release_date": "2026-05-27T12:45:59.735000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:40:47+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"category": "workaround",
"details": "To prevent the silent dropping of oversized `subject_token` JWTs, configure Keycloak to enforce strict parameter validation. This involves setting the `fail-fast` parameter to `true` for the `TokenEndpoint` configuration, which will cause requests with oversized parameters to be rejected explicitly rather than silently processed with reduced privileges. Consult Keycloak documentation for the exact method to modify these settings. A restart of the Keycloak service may be necessary for the changes to apply.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Privilege escalation due to oversized subject_token JWT"
},
{
"acknowledgments": [
{
"names": [
"Qiulin Deng"
]
}
],
"cve": "CVE-2026-9705",
"cwe": {
"id": "CWE-613",
"name": "Insufficient Session Expiration"
},
"discovery_date": "2026-05-27T12:42:28.395000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2481878"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker to reset the client\u0027s secret and potentially regain privileged API access. The primary impact includes unauthorized information disclosure and potential integrity compromise.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Attacker can re-enable and take over disabled clients via Registration Access Token",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A Moderate flaw was found in Keycloak where a disabled client can be re-enabled by an attacker who retains a Registration Access Token (RAT) from a prior legitimate client registration. This allows the attacker to bypass the administrator\u0027s explicit intent to disable the client, reset its secret, and restore OAuth client_credentials capability, potentially leading to unauthorized access to resources.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9705"
},
{
"category": "external",
"summary": "RHBZ#2481878",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481878"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9705",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9705"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9705",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9705"
}
],
"release_date": "2026-06-25T15:59:03.780000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:40:47+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"category": "workaround",
"details": "To mitigate this issue, restrict network access to the Keycloak Dynamic Client Registration endpoint. Configure network firewalls to allow connections only from trusted hosts or networks that legitimately require access to this functionality. This limits the exposure of the vulnerable endpoint to unauthorized access attempts.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Attacker can re-enable and take over disabled clients via Registration Access Token"
},
{
"acknowledgments": [
{
"names": [
"Evan Hendra"
],
"organization": "Independent Security Researcher"
}
],
"cve": "CVE-2026-9791",
"cwe": {
"id": "CWE-863",
"name": "Incorrect Authorization"
},
"discovery_date": "2026-05-28T03:06:33+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482458"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the \u0027organization\u0027 scope. This allows organization metadata to be disclosed in tokens, even after an administrator has explicitly disabled the Organizations feature, potentially leading to incorrect authorization decisions by resource servers.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak-rhel9: Organization Data Leak After Feature Disabled in Keycloak",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Keycloak fails to enforce the disabled state of the Organizations feature on user-facing APIs, allowing authenticated users to retrieve organization membership data and obtain tokens with organization claims even after an administrator has disabled the feature at the realm level.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9791"
},
{
"category": "external",
"summary": "RHBZ#2482458",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482458"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9791",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9791"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9791",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9791"
}
],
"release_date": "2026-05-28T03:08:53.319000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:40:47+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"category": "workaround",
"details": "Administrators should verify that disabling the Organizations feature properly blocks all organization-related functionality. Consider implementing additional access controls or removing organization memberships before disabling the feature.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak-rhel9: Organization Data Leak After Feature Disabled in Keycloak"
},
{
"acknowledgments": [
{
"names": [
"Evan Hendra"
],
"organization": "Independent Security Researcher"
}
],
"cve": "CVE-2026-9792",
"cwe": {
"id": "CWE-280",
"name": "Improper Handling of Insufficient Permissions or Privileges"
},
"discovery_date": "2026-05-28T03:09:09.710000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482459"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant` executor is silently bypassed. This allows an unauthenticated remote attacker to obtain tokens via a Resource Owner Password Credentials (ROPC) grant, even when a policy is explicitly configured to block it. This bypass can lead to unauthorized access and information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Security restriction bypass allows unauthorized ROPC token acquisition",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Medium severity flaw in Keycloak allows client policies designed to reject Resource Owner Password Credentials (ROPC) grants to be bypassed. When specific condition providers (client-type, client-roles, client-attributes, or client-scopes) are used, clients can obtain tokens via ROPC despite explicit policy configuration to block such requests. This impacts Keycloak deployments where administrators rely on these policies to enforce FAPI 2.0 compliance and prevent credential exposure.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9792"
},
{
"category": "external",
"summary": "RHBZ#2482459",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482459"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9792",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9792"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9792",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9792"
}
],
"release_date": "2026-05-28T03:10:21.828000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:40:47+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"category": "workaround",
"details": "To mitigate this issue, Keycloak administrators should review and adjust client policies designed to reject Resource Owner Password Credentials (ROPC) grants. Avoid using the `client-type`, `client-roles`, `client-attributes`, or `client-scopes` condition providers in conjunction with the `reject-ropc-grant` executor. Instead, configure policies to use the `grant-type` condition provider for ROPC rejection. A restart or reload of the Keycloak service may be required for these policy changes to take full effect.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Security restriction bypass allows unauthorized ROPC token acquisition"
},
{
"acknowledgments": [
{
"names": [
"Muhammed Hussein",
"Asaad Mostafa"
]
}
],
"cve": "CVE-2026-9794",
"cwe": {
"id": "CWE-209",
"name": "Generation of Error Message Containing Sensitive Information"
},
"discovery_date": "2026-05-28T03:14:55.617000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482461"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs. By observing distinct faultstrings in the responses, the attacker can determine the client\u0027s protocol type, leading to information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Information disclosure via SAML ECP endpoint",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate-severity information disclosure flaw in Keycloak allows an unauthenticated, remote attacker to enumerate client protocol types. By sending specially crafted SOAP requests to the SAML ECP endpoint and analyzing the resulting faultstrings, an attacker can discern the protocol associated with different client IDs, aiding in further targeted attacks.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9794"
},
{
"category": "external",
"summary": "RHBZ#2482461",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482461"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9794",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9794"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9794",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9794"
}
],
"release_date": "2026-05-28T03:15:43.066000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:40:47+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Information disclosure via SAML ECP endpoint"
},
{
"acknowledgments": [
{
"names": [
"Andrej Tomci"
]
}
],
"cve": "CVE-2026-9795",
"cwe": {
"id": "CWE-266",
"name": "Incorrect Privilege Assignment"
},
"discovery_date": "2026-05-28T03:15:51.639000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482462"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client\u0027s scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user\u0027s authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Privilege escalation via improper scope mapping enforcement",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important privilege escalation flaw in Keycloak when Fine-Grained Admin Permissions (FGAPv2) are enabled. An attacker with fine-grained client management permissions can bypass role mapping restrictions, allowing them to inject arbitrary realm roles into a client\u0027s scope. Subsequent authentication by a privileged user through the compromised client would then project these injected roles into their token, leading to unauthorized access. Exploitation requires specific administrative preconditions and user interaction.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9795"
},
{
"category": "external",
"summary": "RHBZ#2482462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482462"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9795",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9795"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9795",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9795"
}
],
"release_date": "2026-05-28T03:16:49.326000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:40:47+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"category": "workaround",
"details": "To mitigate this issue, disable the Fine-Grained Admin Permissions (FGAPv2) feature in Keycloak if it is not strictly required. This can typically be done by setting `adminPermissionsEnabled` to `false` in the realm configuration. Disabling FGAPv2 will prevent the exploitation of this flaw by removing the vulnerable functionality. However, this may impact administrative delegation capabilities within Keycloak. A restart or reload of the Keycloak service may be required for the changes to take effect.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak: Privilege escalation via improper scope mapping enforcement"
},
{
"acknowledgments": [
{
"names": [
"Omaroo Baniessa"
]
}
],
"cve": "CVE-2026-9799",
"cwe": {
"id": "CWE-639",
"name": "Authorization Bypass Through User-Controlled Key"
},
"discovery_date": "2026-05-28T03:53:15.687000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482471"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. This allows the user to gain unauthorized access to all resources of that type within the same resource server, even if they do not have a ticket for those specific resources. This vulnerability requires the resource server to be configured in PERMISSIVE policy enforcement mode and affects typed resources with ownerManagedAccess enabled, where no explicit policy protects the resource type. The primary consequence is unauthorized information disclosure or modification of resources.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Unauthorized access to resources via UMA permission ticket bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A Medium severity flaw exists in Keycloak\u0027s authorization component where a user with a UMA permission ticket for a specific resource type can gain unauthorized access to all resources of that type. This bypass occurs when the resource server is configured with the non-default PERMISSIVE policy enforcement mode, has ownerManagedAccess enabled for typed resources, and lacks a covering policy for the resource type. Exploitation requires an authenticated user with an existing permission ticket, limiting its impact to specific, non-default Keycloak deployments.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9799"
},
{
"category": "external",
"summary": "RHBZ#2482471",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482471"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9799",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9799"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9799",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9799"
}
],
"release_date": "2026-05-19T12:34:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:40:47+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"category": "workaround",
"details": "To mitigate this issue, ensure that the Keycloak client\u0027s policy enforcement mode is set to ENFORCING instead of PERMISSIVE. The PERMISSIVE mode is a non-default configuration that enables the vulnerability. Changing this setting will prevent the unauthorized access to resources of the same type. Consult Keycloak documentation for specific instructions on configuring policy enforcement mode for your client. This change may require a restart or reload of the Keycloak service to take effect and could impact existing authorization policies if not carefully managed.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Unauthorized access to resources via UMA permission ticket bypass"
},
{
"acknowledgments": [
{
"names": [
"Bas Levering"
]
}
],
"cve": "CVE-2026-9800",
"cwe": {
"id": "CWE-1025",
"name": "Comparison Using Wrong Factors"
},
"discovery_date": "2026-05-28T03:57:56.111000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482472"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak Policy Enforcer: Authorization bypass via incorrect URI comparison",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9800"
},
{
"category": "external",
"summary": "RHBZ#2482472",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482472"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9800",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9800"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9800",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9800"
}
],
"release_date": "2026-05-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:40:47+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak Policy Enforcer: Authorization bypass via incorrect URI comparison"
},
{
"acknowledgments": [
{
"names": [
"Seongkuk Park"
]
}
],
"cve": "CVE-2026-9801",
"cwe": {
"id": "CWE-1284",
"name": "Improper Validation of Specified Quantity in Input"
},
"discovery_date": "2026-05-28T04:00:39.339000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482473"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password policy response during a password authentication request, the attacker can trigger an OutOfMemoryError. This causes the Keycloak Java Virtual Machine (JVM) to terminate, leading to a denial of service (DoS) for all realms on the affected node.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Denial of Service via malformed LDAP password policy response",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability in Keycloak presents a denial-of-service risk when an LDAP user-storage provider is configured. A highly privileged attacker, such as a realm administrator or through a compromised LDAP connection, can send a malformed LDAP password-policy response. This triggers an OutOfMemoryError, causing the Keycloak JVM to terminate and resulting in a complete outage of the node.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9801"
},
{
"category": "external",
"summary": "RHBZ#2482473",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482473"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9801",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9801"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9801",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9801"
}
],
"release_date": "2026-05-28T04:18:25.872000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:40:47+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, ensure that Keycloak\u0027s LDAP user-storage providers are configured to connect only to trusted and secure LDAP servers. Avoid configuring LDAP federation with unverified or potentially malicious LDAP endpoints. Additionally, always use TLS for LDAP connections to prevent Man-in-the-Middle attacks. If an upstream LDAP server is compromised, it should be isolated and secured immediately.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Denial of Service via malformed LDAP password policy response"
},
{
"acknowledgments": [
{
"names": [
"Gyeongpyo Son"
]
}
],
"cve": "CVE-2026-9802",
"cwe": {
"id": "CWE-613",
"name": "Insufficient Session Expiration"
},
"discovery_date": "2026-05-28T04:01:03.837000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482467"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user\u0027s refresh token, to replay that token even after it has been revoked. Successful exploitation grants the attacker unauthorized access to the victim\u0027s account, potentially leading to information disclosure or privilege escalation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Unauthorized account access via replayed refresh tokens after cluster restart",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A flaw in Keycloak, when configured with `revokeRefreshToken=true` and persistent session storage, allows a remote attacker to regain unauthorized access. Following a full cluster restart, a previously revoked refresh token, if captured by an attacker, can be replayed to bypass security checks. This could lead to unauthorized account access, potentially resulting in information disclosure or privilege escalation.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9802"
},
{
"category": "external",
"summary": "RHBZ#2482467",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482467"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9802",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9802"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9802",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9802"
}
],
"release_date": "2026-05-28T04:10:26.145000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:40:47+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Unauthorized account access via replayed refresh tokens after cluster restart"
},
{
"acknowledgments": [
{
"names": [
"Mustafa \u00c7etin"
]
}
],
"cve": "CVE-2026-9803",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"discovery_date": "2026-05-28T04:02:15.892000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482465"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed \u0027Authorization: Bearer\u0027 header to any client registration endpoint. This can lead to an ArrayIndexOutOfBoundsException, causing the server to return an HTTP 500 error and resulting in a Denial of Service (DoS) for the affected service.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Denial of Service via malformed Authorization header",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A Moderate denial of service flaw was found in Keycloak\u0027s client registration endpoints. An unauthenticated attacker can send a specially crafted request with a malformed \u0027Authorization: Bearer\u0027 header, causing an ArrayIndexOutOfBoundsException and an HTTP 500 error. This can lead to a temporary disruption of service for the Keycloak instance.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9803"
},
{
"category": "external",
"summary": "RHBZ#2482465",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482465"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9803",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9803"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9803",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9803"
}
],
"release_date": "2026-05-28T04:03:01.292000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:40:47+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Denial of Service via malformed Authorization header"
},
{
"cve": "CVE-2026-37977",
"cwe": {
"id": "CWE-346",
"name": "Origin Validation Error"
},
"discovery_date": "2026-04-06T07:49:33.467949+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2455324"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in Keycloak\u0027s User-Managed Access (UMA) token endpoint. This flaw occurs because the `azp` claim from a client-supplied JSON Web Token (JWT) is used to set the `Access-Control-Allow-Origin` header before the JWT signature is validated. When a specially crafted JWT with an attacker-controlled `azp` value is processed, this value is reflected as the CORS origin, even if the grant is later rejected. This can lead to the exposure of low-sensitivity information from authorization server error responses, weakening origin isolation, but only when a target client is misconfigured with `webOrigins: [\"*\"]`.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: org.keycloak.protocol.oidc.grants.ciba: Keycloak: Information disclosure via CORS header injection due to unvalidated JWT azp claim",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Low impact: This vulnerability in Keycloak\u0027s UMA token endpoint allows for CORS header injection when a client is misconfigured with `webOrigins: [\"*\"]`. This can lead to the exposure of low-sensitivity information from authorization server error responses. Exploitation requires a specific client misconfiguration and does not affect default Keycloak installations.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-37977"
},
{
"category": "external",
"summary": "RHBZ#2455324",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455324"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-37977",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-37977"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-37977",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-37977"
}
],
"release_date": "2026-04-06T08:34:01.137000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T17:40:47+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30050"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:dc6f5cde01bde313152b99cbead708160e43be14804f0ff768123fa9f54b4a4b_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:502c9e94ad138d062ca6e81de89284f5bcc0d27595b193498cf35f7e1bff9a40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:8b4788a5f7e7687f3cc98a80407057a915d516aa79ff2e879780fa13e3be738f_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:bb723943f57bf3f1b02f8b67e3aff2043b30f867dbf90155a5596b954073f57e_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:c56fdf74f5055b2ed0aa1a5706f1fe5428692aaa4d107d2081fb7c6ee7d5ace0_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:05b207815e7e032115df73466875ac10436fb304bec7322e7a0a1a919901fdab_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:183d2a02d613de6745e0741333c4d34d8544b74866efac9237c46f26114b8c66_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:70634542b3ae6f9c0593bd6a63d2e9fa4667c27d1cbf78c07bee4b1ebc1b6706_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:d94079e34e41affcb63b6094781e9e0bb0c1e15ae2f24c93ad7bf6353937ec9a_s390x"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "keycloak: org.keycloak.protocol.oidc.grants.ciba: Keycloak: Information disclosure via CORS header injection due to unvalidated JWT azp claim"
}
]
}
RHSA-2026:30083
Vulnerability from csaf_redhat - Published: 2026-06-25 18:47 - Updated: 2026-06-26 06:46Summary
Red Hat Security Advisory: Red Hat build of Keycloak 26.6.4 Security Update
Severity
Important
Notes
Topic: New Red Hat build of Keycloak 26.6.4 packages are available from the Customer Portal
Details: Red Hat build of Keycloak 26.6.4 is a standalone server, based on
the Keycloak project, that provides authentication and
standards-based single sign-on capabilities for web and mobile
applications.
Security fixes:
* Information disclosure via CORS header injection due to unvalidated JWT azp claim (CVE-2026-37977)
* Server-Side Request Forgery via OIDC token endpoint manipulation (CVE-2026-4874)
* eclipse-vertx/vert.x: Denial of Service via TLS handshake with wildcard server name (CVE-2026-6860)
* Improper Access Control on Keycloak Server when the account Account API feature is disabled (CVE-2026-7500)
* Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation (CVE-2026-8830)
* Security flaw in org.keycloak/keycloak-services (CVE-2026-8922)
* Information disclosure through arbitrary filesystem path probing (CVE-2026-9083)
* Cross-site scripting (XSS) via case-insensitive URI validation bypass (CVE-2026-9086)
* Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login (CVE-2026-9087)
* Information disclosure due to user profile permission bypass (CVE-2026-9088)
* Group-Admin Escalation to Realm-Admin (CVE-2026-9099)
* Privilege escalation due to oversized subject_token JWT (CVE-2026-9704)
* Attacker can re-enable and take over disabled clients via Registration Access Token (CVE-2026-9705)
* Organization Data Leak After Feature Disabled in Keycloak (CVE-2026-9791)
* Security restriction bypass allows unauthorized ROPC token acquisition (CVE-2026-9792)
* Information disclosure via SAML ECP endpoint (CVE-2026-9794)
* Privilege escalation via improper scope mapping enforcement (CVE-2026-9795)
* Unauthorized access to resources via UMA permission ticket bypass (CVE-2026-9799)
* Authorization bypass via incorrect URI comparison (CVE-2026-9800)
* Denial of Service via malformed LDAP password policy response (CVE-2026-9801)
* Unauthorized account access via replayed refresh tokens after cluster restart (CVE-2026-9802)
* Denial of Service via malformed Authorization header (CVE-2026-9803)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in eclipse-vertx/vert.x. A remote attacker can exploit this vulnerability by performing a Transport Layer Security (TLS) handshake and presenting a server name extension with a server wildcard name. This can lead to a denial of service (DoS) condition, impacting the availability of the affected system.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.4
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining which files exist and are readable by the Keycloak process. This information disclosure could be used to identify high-value targets for follow-on attacks.
4.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.4
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.4
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group. Because group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.
7.7 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.4
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker to reset the client's secret and potentially regain privileged API access. The primary impact includes unauthorized information disclosure and potential integrity compromise.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.4
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user's authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.4
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. This allows the user to gain unauthorized access to all resources of that type within the same resource server, even if they do not have a ticket for those specific resources. This vulnerability requires the resource server to be configured in PERMISSIVE policy enforcement mode and affects typed resources with ownerManagedAccess enabled, where no explicit policy protects the resource type. The primary consequence is unauthorized information disclosure or modification of resources.
4.6 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.4
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.4
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to impersonate any federated user linked to the affected Identity Provider, leading to unauthorized access and potential privilege escalation.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.4
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
References
42 references
Acknowledgments
AxiomCode
Swapnil Paliwal & Security Team
saku0512
Qiulin Deng
Andrej Tomci
Omaroo Baniessa
Bas Levering
Bilal Teke
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New Red Hat build of Keycloak 26.6.4 packages are available from the Customer Portal",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat build of Keycloak 26.6.4 is a standalone server, based on\nthe Keycloak project, that provides authentication and\nstandards-based single sign-on capabilities for web and mobile\napplications.\n\nSecurity fixes:\n* Information disclosure via CORS header injection due to unvalidated JWT azp claim (CVE-2026-37977)\n* Server-Side Request Forgery via OIDC token endpoint manipulation (CVE-2026-4874)\n* eclipse-vertx/vert.x: Denial of Service via TLS handshake with wildcard server name (CVE-2026-6860)\n* Improper Access Control on Keycloak Server when the account Account API feature is disabled (CVE-2026-7500)\n* Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation (CVE-2026-8830)\n* Security flaw in org.keycloak/keycloak-services (CVE-2026-8922)\n* Information disclosure through arbitrary filesystem path probing (CVE-2026-9083)\n* Cross-site scripting (XSS) via case-insensitive URI validation bypass (CVE-2026-9086)\n* Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login (CVE-2026-9087)\n* Information disclosure due to user profile permission bypass (CVE-2026-9088)\n* Group-Admin Escalation to Realm-Admin (CVE-2026-9099)\n* Privilege escalation due to oversized subject_token JWT (CVE-2026-9704)\n* Attacker can re-enable and take over disabled clients via Registration Access Token (CVE-2026-9705)\n* Organization Data Leak After Feature Disabled in Keycloak (CVE-2026-9791)\n* Security restriction bypass allows unauthorized ROPC token acquisition (CVE-2026-9792)\n* Information disclosure via SAML ECP endpoint (CVE-2026-9794)\n* Privilege escalation via improper scope mapping enforcement (CVE-2026-9795)\n* Unauthorized access to resources via UMA permission ticket bypass (CVE-2026-9799)\n* Authorization bypass via incorrect URI comparison (CVE-2026-9800)\n* Denial of Service via malformed LDAP password policy response (CVE-2026-9801)\n* Unauthorized account access via replayed refresh tokens after cluster restart (CVE-2026-9802)\n* Denial of Service via malformed Authorization header (CVE-2026-9803)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:30083",
"url": "https://access.redhat.com/errata/RHSA-2026:30083"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_30083.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Keycloak 26.6.4 Security Update",
"tracking": {
"current_release_date": "2026-06-26T06:46:45+00:00",
"generator": {
"date": "2026-06-26T06:46:45+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.2.5"
}
},
"id": "RHSA-2026:30083",
"initial_release_date": "2026-06-25T18:47:39+00:00",
"revision_history": [
{
"date": "2026-06-25T18:47:39+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-25T18:47:39+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-26T06:46:45+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Keycloak 26.6.4",
"product": {
"name": "Red Hat build of Keycloak 26.6.4",
"product_id": "Red Hat build of Keycloak 26.6.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:build_keycloak:26.6::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Keycloak"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-6860",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-05-06T10:01:43.929832+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2466990"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in eclipse-vertx/vert.x. A remote attacker can exploit this vulnerability by performing a Transport Layer Security (TLS) handshake and presenting a server name extension with a server wildcard name. This can lead to a denial of service (DoS) condition, impacting the availability of the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "eclipse-vertx/vert.x: eclipse-vertx/vert.x: Denial of Service via TLS handshake with wildcard server name",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw is rated as Moderate because a remote attacker can trigger a denial of service in Red Hat products that use `eclipse-vertx/vert.x` and are configured with TLS wildcard server names. Exploitation occurs during the TLS handshake, impacting service availability without affecting data confidentiality or integrity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-6860"
},
{
"category": "external",
"summary": "RHBZ#2466990",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466990"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-6860",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6860"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-6860",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6860"
},
{
"category": "external",
"summary": "https://github.com/eclipse-vertx/vert.x/pull/6102",
"url": "https://github.com/eclipse-vertx/vert.x/pull/6102"
},
{
"category": "external",
"summary": "https://github.com/eclipse-vertx/vert.x/security/advisories/GHSA-3g76-f9xq-8vp6",
"url": "https://github.com/eclipse-vertx/vert.x/security/advisories/GHSA-3g76-f9xq-8vp6"
},
{
"category": "external",
"summary": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/381",
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/381"
}
],
"release_date": "2026-05-06T09:55:12.531000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:47:39+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30083"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "eclipse-vertx/vert.x: eclipse-vertx/vert.x: Denial of Service via TLS handshake with wildcard server name"
},
{
"acknowledgments": [
{
"names": [
"Swapnil Paliwal \u0026 Security Team"
],
"organization": "AxiomCode"
}
],
"cve": "CVE-2026-9083",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-05-20T14:11:24.606000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480168"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A realm administrator with the \"manage-realm\" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining which files exist and are readable by the Keycloak process. This information disclosure could be used to identify high-value targets for follow-on attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Information disclosure through arbitrary filesystem path probing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Medium: This flaw in Keycloak allows a highly privileged realm administrator with the \"manage-realm\" role to perform arbitrary filesystem path probing. By submitting a crafted keystore path, an authenticated attacker can determine the existence and readability of files on the Keycloak server, potentially identifying high-value targets for further attacks. Exploitation requires an attacker to possess the \"manage-realm\" role, which is a high-level administrative permission.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9083"
},
{
"category": "external",
"summary": "RHBZ#2480168",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480168"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9083",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9083"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9083",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9083"
}
],
"release_date": "2026-06-25T15:58:16.784000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:47:39+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30083"
},
{
"category": "workaround",
"details": "Ensure that only highly trusted administrators are granted the \"manage-realm\" role within Keycloak. This role provides extensive administrative privileges, including the ability to exploit this vulnerability for filesystem probing. Regularly review and audit users assigned to this role to minimize the attack surface.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Information disclosure through arbitrary filesystem path probing"
},
{
"acknowledgments": [
{
"names": [
"saku0512"
]
}
],
"cve": "CVE-2026-9086",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-05-20T14:43:55.195000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480170"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Cross-site scripting (XSS) via case-insensitive URI validation bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw is rated as High. Keycloak\u0027s client URI validation is vulnerable to a case-insensitivity issue, allowing attackers to bypass scheme blocklists by using mixed-case `javascript:` or `data:` URIs. This can lead to cross-site scripting (XSS) in the Keycloak origin when a victim interacts with a crafted link, such as during the logout flow. Exploitation requires an authenticated administrator with `manage-client` privileges or access to client registration endpoints, and user interaction.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9086"
},
{
"category": "external",
"summary": "RHBZ#2480170",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480170"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9086",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9086"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9086",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9086"
}
],
"release_date": "2026-06-25T15:58:33.359000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:47:39+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30083"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, restrict the ability to register new clients and manage existing client configurations. If Dynamic Client Registration is not required, disable it in Keycloak\u0027s Realm Settings under Client Registration Policies. If Dynamic Client Registration is necessary, ensure that policies are strictly configured to prevent anonymous client registration and require initial access tokens for all client registrations. Additionally, limit the `manage-client` role to only trusted administrators. Changes to Keycloak configuration may require a service restart or redeployment to take effect.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak: Cross-site scripting (XSS) via case-insensitive URI validation bypass"
},
{
"cve": "CVE-2026-9099",
"cwe": {
"id": "CWE-639",
"name": "Authorization Bypass Through User-Controlled Key"
},
"discovery_date": "2026-05-20T15:05:54.381000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480182"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group.\n\nBecause group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator\u0027s password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Group-Admin Escalation to Realm-Admin",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated as High impact. When Fine-Grained Admin Permissions (FGAPv2) are enabled in Keycloak, a delegated administrator with specific `manage-members` permissions on a low-privilege group can bypass authorization checks to reparent any other group, including those with `realm-admin` roles. This allows the attacker to reset passwords of members in the stolen group, leading to a full realm takeover.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9099"
},
{
"category": "external",
"summary": "RHBZ#2480182",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480182"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9099"
}
],
"release_date": "2026-06-25T15:58:51.884000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:47:39+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30083"
},
{
"category": "workaround",
"details": "To mitigate this issue, restrict network access to the Keycloak Admin REST API to only trusted networks or localhost. This limits the attack surface by preventing unauthorized access to the API endpoints required for exploitation. Consult your network security documentation for specific firewall or network access control configurations. This may impact remote administration capabilities.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Group-Admin Escalation to Realm-Admin"
},
{
"acknowledgments": [
{
"names": [
"Qiulin Deng"
]
}
],
"cve": "CVE-2026-9705",
"cwe": {
"id": "CWE-613",
"name": "Insufficient Session Expiration"
},
"discovery_date": "2026-05-27T12:42:28.395000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2481878"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker to reset the client\u0027s secret and potentially regain privileged API access. The primary impact includes unauthorized information disclosure and potential integrity compromise.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Attacker can re-enable and take over disabled clients via Registration Access Token",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A Moderate flaw was found in Keycloak where a disabled client can be re-enabled by an attacker who retains a Registration Access Token (RAT) from a prior legitimate client registration. This allows the attacker to bypass the administrator\u0027s explicit intent to disable the client, reset its secret, and restore OAuth client_credentials capability, potentially leading to unauthorized access to resources.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9705"
},
{
"category": "external",
"summary": "RHBZ#2481878",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481878"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9705",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9705"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9705",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9705"
}
],
"release_date": "2026-06-25T15:59:03.780000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:47:39+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30083"
},
{
"category": "workaround",
"details": "To mitigate this issue, restrict network access to the Keycloak Dynamic Client Registration endpoint. Configure network firewalls to allow connections only from trusted hosts or networks that legitimately require access to this functionality. This limits the exposure of the vulnerable endpoint to unauthorized access attempts.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Attacker can re-enable and take over disabled clients via Registration Access Token"
},
{
"acknowledgments": [
{
"names": [
"Andrej Tomci"
]
}
],
"cve": "CVE-2026-9795",
"cwe": {
"id": "CWE-266",
"name": "Incorrect Privilege Assignment"
},
"discovery_date": "2026-05-28T03:15:51.639000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482462"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client\u0027s scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user\u0027s authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Privilege escalation via improper scope mapping enforcement",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important privilege escalation flaw in Keycloak when Fine-Grained Admin Permissions (FGAPv2) are enabled. An attacker with fine-grained client management permissions can bypass role mapping restrictions, allowing them to inject arbitrary realm roles into a client\u0027s scope. Subsequent authentication by a privileged user through the compromised client would then project these injected roles into their token, leading to unauthorized access. Exploitation requires specific administrative preconditions and user interaction.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9795"
},
{
"category": "external",
"summary": "RHBZ#2482462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482462"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9795",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9795"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9795",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9795"
}
],
"release_date": "2026-05-28T03:16:49.326000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:47:39+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30083"
},
{
"category": "workaround",
"details": "To mitigate this issue, disable the Fine-Grained Admin Permissions (FGAPv2) feature in Keycloak if it is not strictly required. This can typically be done by setting `adminPermissionsEnabled` to `false` in the realm configuration. Disabling FGAPv2 will prevent the exploitation of this flaw by removing the vulnerable functionality. However, this may impact administrative delegation capabilities within Keycloak. A restart or reload of the Keycloak service may be required for the changes to take effect.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak: Privilege escalation via improper scope mapping enforcement"
},
{
"acknowledgments": [
{
"names": [
"Omaroo Baniessa"
]
}
],
"cve": "CVE-2026-9799",
"cwe": {
"id": "CWE-639",
"name": "Authorization Bypass Through User-Controlled Key"
},
"discovery_date": "2026-05-28T03:53:15.687000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482471"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. This allows the user to gain unauthorized access to all resources of that type within the same resource server, even if they do not have a ticket for those specific resources. This vulnerability requires the resource server to be configured in PERMISSIVE policy enforcement mode and affects typed resources with ownerManagedAccess enabled, where no explicit policy protects the resource type. The primary consequence is unauthorized information disclosure or modification of resources.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Unauthorized access to resources via UMA permission ticket bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A Medium severity flaw exists in Keycloak\u0027s authorization component where a user with a UMA permission ticket for a specific resource type can gain unauthorized access to all resources of that type. This bypass occurs when the resource server is configured with the non-default PERMISSIVE policy enforcement mode, has ownerManagedAccess enabled for typed resources, and lacks a covering policy for the resource type. Exploitation requires an authenticated user with an existing permission ticket, limiting its impact to specific, non-default Keycloak deployments.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9799"
},
{
"category": "external",
"summary": "RHBZ#2482471",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482471"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9799",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9799"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9799",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9799"
}
],
"release_date": "2026-05-19T12:34:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:47:39+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30083"
},
{
"category": "workaround",
"details": "To mitigate this issue, ensure that the Keycloak client\u0027s policy enforcement mode is set to ENFORCING instead of PERMISSIVE. The PERMISSIVE mode is a non-default configuration that enables the vulnerability. Changing this setting will prevent the unauthorized access to resources of the same type. Consult Keycloak documentation for specific instructions on configuring policy enforcement mode for your client. This change may require a restart or reload of the Keycloak service to take effect and could impact existing authorization policies if not carefully managed.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Unauthorized access to resources via UMA permission ticket bypass"
},
{
"acknowledgments": [
{
"names": [
"Bas Levering"
]
}
],
"cve": "CVE-2026-9800",
"cwe": {
"id": "CWE-1025",
"name": "Comparison Using Wrong Factors"
},
"discovery_date": "2026-05-28T03:57:56.111000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482472"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak Policy Enforcer: Authorization bypass via incorrect URI comparison",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9800"
},
{
"category": "external",
"summary": "RHBZ#2482472",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482472"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9800",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9800"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9800",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9800"
}
],
"release_date": "2026-05-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:47:39+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30083"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak Policy Enforcer: Authorization bypass via incorrect URI comparison"
},
{
"acknowledgments": [
{
"names": [
"Bilal Teke"
]
}
],
"cve": "CVE-2026-11800",
"cwe": {
"id": "CWE-347",
"name": "Improper Verification of Cryptographic Signature"
},
"discovery_date": "2026-06-09T05:06:35.697000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487006"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to impersonate any federated user linked to the affected Identity Provider, leading to unauthorized access and potential privilege escalation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak:keycloak-services: Keycloak: Authentication bypass via JWT algorithm confusion",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-11800"
},
{
"category": "external",
"summary": "RHBZ#2487006",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487006"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-11800",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-11800"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-11800",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11800"
}
],
"release_date": "2026-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:47:39+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30083"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "org.keycloak:keycloak-services: Keycloak: Authentication bypass via JWT algorithm confusion"
}
]
}
RHSA-2026:30084
Vulnerability from csaf_redhat - Published: 2026-06-25 18:50 - Updated: 2026-06-26 06:46Summary
Red Hat Security Advisory: Red Hat build of Keycloak 26.6.4 Images Security Update
Severity
Important
Notes
Topic: New images are available for Red Hat build of Keycloak 26.6.4 and
Red Hat build of Keycloak 26.6.4 Operator, running on OpenShift
Container Platform
Details: Red Hat build of Keycloak is an integrated sign-on solution,
available as a Red Hat JBoss Middleware for OpenShift containerized
image. The Red Hat build of Keycloak for OpenShift image provides
an authentication server that you can use to log in centrally, log
out, and register. You can also manage user accounts for web
applications, mobile applications, and RESTful web services.
Red Hat build of Keycloak Operator for OpenShift simplifies
deployment and management of Keycloak 26.6.4 clusters.
This erratum releases new images for Red Hat build of Keycloak
26.6.4 for use within the OpenShift Container Platform cloud
computing Platform-as-a-Service (PaaS) for on-premise or private
cloud deployments, aligning with the standalone product release.
Security fixes:
* Information disclosure via CORS header injection due to unvalidated JWT azp claim (CVE-2026-37977)
* Server-Side Request Forgery via OIDC token endpoint manipulation (CVE-2026-4874)
* eclipse-vertx/vert.x: Denial of Service via TLS handshake with wildcard server name (CVE-2026-6860)
* Improper Access Control on Keycloak Server when the account Account API feature is disabled (CVE-2026-7500)
* Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation (CVE-2026-8830)
* Security flaw in org.keycloak/keycloak-services (CVE-2026-8922)
* Information disclosure through arbitrary filesystem path probing (CVE-2026-9083)
* Cross-site scripting (XSS) via case-insensitive URI validation bypass (CVE-2026-9086)
* Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login (CVE-2026-9087)
* Information disclosure due to user profile permission bypass (CVE-2026-9088)
* Group-Admin Escalation to Realm-Admin (CVE-2026-9099)
* Privilege escalation due to oversized subject_token JWT (CVE-2026-9704)
* Attacker can re-enable and take over disabled clients via Registration Access Token (CVE-2026-9705)
* Organization Data Leak After Feature Disabled in Keycloak (CVE-2026-9791)
* Security restriction bypass allows unauthorized ROPC token acquisition (CVE-2026-9792)
* Information disclosure via SAML ECP endpoint (CVE-2026-9794)
* Privilege escalation via improper scope mapping enforcement (CVE-2026-9795)
* Unauthorized access to resources via UMA permission ticket bypass (CVE-2026-9799)
* Authorization bypass via incorrect URI comparison (CVE-2026-9800)
* Denial of Service via malformed LDAP password policy response (CVE-2026-9801)
* Unauthorized account access via replayed refresh tokens after cluster restart (CVE-2026-9802)
* Denial of Service via malformed Authorization header (CVE-2026-9803)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in eclipse-vertx/vert.x. A remote attacker can exploit this vulnerability by performing a Transport Layer Security (TLS) handshake and presenting a server name extension with a server wildcard name. This can lead to a denial of service (DoS) condition, impacting the availability of the affected system.
5.3 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining which files exist and are readable by the Keycloak process. This information disclosure could be used to identify high-value targets for follow-on attacks.
4.9 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console.
7.3 (High)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group. Because group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.
7.7 (High)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker to reset the client's secret and potentially regain privileged API access. The primary impact includes unauthorized information disclosure and potential integrity compromise.
6.5 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user's authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.
7.3 (High)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. This allows the user to gain unauthorized access to all resources of that type within the same resource server, even if they do not have a ticket for those specific resources. This vulnerability requires the resource server to be configured in PERMISSIVE policy enforcement mode and affects typed resources with ownerManagedAccess enabled, where no explicit policy protects the resource type. The primary consequence is unauthorized information disclosure or modification of resources.
4.6 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources.
8.1 (High)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to impersonate any federated user linked to the affected Identity Provider, leading to unauthorized access and potential privilege escalation.
8.1 (High)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64 | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x | — |
Vendor Fix
fix
|
|
| Unresolved product id: 9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64 | — |
Vendor Fix
fix
|
Threats
Impact
Important
References
42 references
Acknowledgments
AxiomCode
Swapnil Paliwal & Security Team
saku0512
Qiulin Deng
Andrej Tomci
Omaroo Baniessa
Bas Levering
Bilal Teke
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New images are available for Red Hat build of Keycloak 26.6.4 and\nRed Hat build of Keycloak 26.6.4 Operator, running on OpenShift\nContainer Platform",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat build of Keycloak is an integrated sign-on solution,\navailable as a Red Hat JBoss Middleware for OpenShift containerized\nimage. The Red Hat build of Keycloak for OpenShift image provides\nan authentication server that you can use to log in centrally, log\nout, and register. You can also manage user accounts for web\napplications, mobile applications, and RESTful web services.\n\nRed Hat build of Keycloak Operator for OpenShift simplifies\ndeployment and management of Keycloak 26.6.4 clusters.\n\nThis erratum releases new images for Red Hat build of Keycloak\n26.6.4 for use within the OpenShift Container Platform cloud\ncomputing Platform-as-a-Service (PaaS) for on-premise or private\ncloud deployments, aligning with the standalone product release.\n\nSecurity fixes:\n* Information disclosure via CORS header injection due to unvalidated JWT azp claim (CVE-2026-37977)\n* Server-Side Request Forgery via OIDC token endpoint manipulation (CVE-2026-4874)\n* eclipse-vertx/vert.x: Denial of Service via TLS handshake with wildcard server name (CVE-2026-6860)\n* Improper Access Control on Keycloak Server when the account Account API feature is disabled (CVE-2026-7500)\n* Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation (CVE-2026-8830)\n* Security flaw in org.keycloak/keycloak-services (CVE-2026-8922)\n* Information disclosure through arbitrary filesystem path probing (CVE-2026-9083)\n* Cross-site scripting (XSS) via case-insensitive URI validation bypass (CVE-2026-9086)\n* Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login (CVE-2026-9087)\n* Information disclosure due to user profile permission bypass (CVE-2026-9088)\n* Group-Admin Escalation to Realm-Admin (CVE-2026-9099)\n* Privilege escalation due to oversized subject_token JWT (CVE-2026-9704)\n* Attacker can re-enable and take over disabled clients via Registration Access Token (CVE-2026-9705)\n* Organization Data Leak After Feature Disabled in Keycloak (CVE-2026-9791)\n* Security restriction bypass allows unauthorized ROPC token acquisition (CVE-2026-9792)\n* Information disclosure via SAML ECP endpoint (CVE-2026-9794)\n* Privilege escalation via improper scope mapping enforcement (CVE-2026-9795)\n* Unauthorized access to resources via UMA permission ticket bypass (CVE-2026-9799)\n* Authorization bypass via incorrect URI comparison (CVE-2026-9800)\n* Denial of Service via malformed LDAP password policy response (CVE-2026-9801)\n* Unauthorized account access via replayed refresh tokens after cluster restart (CVE-2026-9802)\n* Denial of Service via malformed Authorization header (CVE-2026-9803)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:30084",
"url": "https://access.redhat.com/errata/RHSA-2026:30084"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_30084.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Keycloak 26.6.4 Images Security Update",
"tracking": {
"current_release_date": "2026-06-26T06:46:45+00:00",
"generator": {
"date": "2026-06-26T06:46:45+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.2.5"
}
},
"id": "RHSA-2026:30084",
"initial_release_date": "2026-06-25T18:50:57+00:00",
"revision_history": [
{
"date": "2026-06-25T18:50:57+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-25T18:50:57+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-26T06:46:45+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Keycloak 26.6",
"product": {
"name": "Red Hat build of Keycloak 26.6",
"product_id": "9Base-RHBK-26.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:build_keycloak:26.6::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Keycloak"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"product_id": "rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e?arch=s390x\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.6-8"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94?arch=s390x\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.6-8"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"product_id": "rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11?arch=ppc64le\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.6-8"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed?arch=ppc64le\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.6-8"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64",
"product_id": "rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.6-8"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"product": {
"name": "rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"product_id": "rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-operator-bundle\u0026tag=26.6.4-2"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.6-8"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"product_id": "rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3?arch=arm64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.6-8"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592?arch=arm64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.6-8"
}
}
}
],
"category": "architecture",
"name": "arm64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64 as a component of Red Hat build of Keycloak 26.6",
"product_id": "9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64"
},
"product_reference": "rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"relates_to_product_reference": "9Base-RHBK-26.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64 as a component of Red Hat build of Keycloak 26.6",
"product_id": "9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"relates_to_product_reference": "9Base-RHBK-26.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x as a component of Red Hat build of Keycloak 26.6",
"product_id": "9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"relates_to_product_reference": "9Base-RHBK-26.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64 as a component of Red Hat build of Keycloak 26.6",
"product_id": "9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"relates_to_product_reference": "9Base-RHBK-26.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le as a component of Red Hat build of Keycloak 26.6",
"product_id": "9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"relates_to_product_reference": "9Base-RHBK-26.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le as a component of Red Hat build of Keycloak 26.6",
"product_id": "9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"relates_to_product_reference": "9Base-RHBK-26.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64 as a component of Red Hat build of Keycloak 26.6",
"product_id": "9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"relates_to_product_reference": "9Base-RHBK-26.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x as a component of Red Hat build of Keycloak 26.6",
"product_id": "9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"relates_to_product_reference": "9Base-RHBK-26.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64 as a component of Red Hat build of Keycloak 26.6",
"product_id": "9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64",
"relates_to_product_reference": "9Base-RHBK-26.6"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-6860",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-05-06T10:01:43.929832+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2466990"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in eclipse-vertx/vert.x. A remote attacker can exploit this vulnerability by performing a Transport Layer Security (TLS) handshake and presenting a server name extension with a server wildcard name. This can lead to a denial of service (DoS) condition, impacting the availability of the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "eclipse-vertx/vert.x: eclipse-vertx/vert.x: Denial of Service via TLS handshake with wildcard server name",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw is rated as Moderate because a remote attacker can trigger a denial of service in Red Hat products that use `eclipse-vertx/vert.x` and are configured with TLS wildcard server names. Exploitation occurs during the TLS handshake, impacting service availability without affecting data confidentiality or integrity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-6860"
},
{
"category": "external",
"summary": "RHBZ#2466990",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466990"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-6860",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6860"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-6860",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6860"
},
{
"category": "external",
"summary": "https://github.com/eclipse-vertx/vert.x/pull/6102",
"url": "https://github.com/eclipse-vertx/vert.x/pull/6102"
},
{
"category": "external",
"summary": "https://github.com/eclipse-vertx/vert.x/security/advisories/GHSA-3g76-f9xq-8vp6",
"url": "https://github.com/eclipse-vertx/vert.x/security/advisories/GHSA-3g76-f9xq-8vp6"
},
{
"category": "external",
"summary": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/381",
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/381"
}
],
"release_date": "2026-05-06T09:55:12.531000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:50:57+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30084"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "eclipse-vertx/vert.x: eclipse-vertx/vert.x: Denial of Service via TLS handshake with wildcard server name"
},
{
"acknowledgments": [
{
"names": [
"Swapnil Paliwal \u0026 Security Team"
],
"organization": "AxiomCode"
}
],
"cve": "CVE-2026-9083",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-05-20T14:11:24.606000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480168"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A realm administrator with the \"manage-realm\" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining which files exist and are readable by the Keycloak process. This information disclosure could be used to identify high-value targets for follow-on attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Information disclosure through arbitrary filesystem path probing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Medium: This flaw in Keycloak allows a highly privileged realm administrator with the \"manage-realm\" role to perform arbitrary filesystem path probing. By submitting a crafted keystore path, an authenticated attacker can determine the existence and readability of files on the Keycloak server, potentially identifying high-value targets for further attacks. Exploitation requires an attacker to possess the \"manage-realm\" role, which is a high-level administrative permission.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9083"
},
{
"category": "external",
"summary": "RHBZ#2480168",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480168"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9083",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9083"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9083",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9083"
}
],
"release_date": "2026-06-25T15:58:16.784000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:50:57+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30084"
},
{
"category": "workaround",
"details": "Ensure that only highly trusted administrators are granted the \"manage-realm\" role within Keycloak. This role provides extensive administrative privileges, including the ability to exploit this vulnerability for filesystem probing. Regularly review and audit users assigned to this role to minimize the attack surface.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Information disclosure through arbitrary filesystem path probing"
},
{
"acknowledgments": [
{
"names": [
"saku0512"
]
}
],
"cve": "CVE-2026-9086",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-05-20T14:43:55.195000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480170"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Cross-site scripting (XSS) via case-insensitive URI validation bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw is rated as High. Keycloak\u0027s client URI validation is vulnerable to a case-insensitivity issue, allowing attackers to bypass scheme blocklists by using mixed-case `javascript:` or `data:` URIs. This can lead to cross-site scripting (XSS) in the Keycloak origin when a victim interacts with a crafted link, such as during the logout flow. Exploitation requires an authenticated administrator with `manage-client` privileges or access to client registration endpoints, and user interaction.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9086"
},
{
"category": "external",
"summary": "RHBZ#2480170",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480170"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9086",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9086"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9086",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9086"
}
],
"release_date": "2026-06-25T15:58:33.359000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:50:57+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30084"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, restrict the ability to register new clients and manage existing client configurations. If Dynamic Client Registration is not required, disable it in Keycloak\u0027s Realm Settings under Client Registration Policies. If Dynamic Client Registration is necessary, ensure that policies are strictly configured to prevent anonymous client registration and require initial access tokens for all client registrations. Additionally, limit the `manage-client` role to only trusted administrators. Changes to Keycloak configuration may require a service restart or redeployment to take effect.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak: Cross-site scripting (XSS) via case-insensitive URI validation bypass"
},
{
"cve": "CVE-2026-9099",
"cwe": {
"id": "CWE-639",
"name": "Authorization Bypass Through User-Controlled Key"
},
"discovery_date": "2026-05-20T15:05:54.381000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480182"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group.\n\nBecause group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator\u0027s password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Group-Admin Escalation to Realm-Admin",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated as High impact. When Fine-Grained Admin Permissions (FGAPv2) are enabled in Keycloak, a delegated administrator with specific `manage-members` permissions on a low-privilege group can bypass authorization checks to reparent any other group, including those with `realm-admin` roles. This allows the attacker to reset passwords of members in the stolen group, leading to a full realm takeover.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9099"
},
{
"category": "external",
"summary": "RHBZ#2480182",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480182"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9099"
}
],
"release_date": "2026-06-25T15:58:51.884000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:50:57+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30084"
},
{
"category": "workaround",
"details": "To mitigate this issue, restrict network access to the Keycloak Admin REST API to only trusted networks or localhost. This limits the attack surface by preventing unauthorized access to the API endpoints required for exploitation. Consult your network security documentation for specific firewall or network access control configurations. This may impact remote administration capabilities.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Group-Admin Escalation to Realm-Admin"
},
{
"acknowledgments": [
{
"names": [
"Qiulin Deng"
]
}
],
"cve": "CVE-2026-9705",
"cwe": {
"id": "CWE-613",
"name": "Insufficient Session Expiration"
},
"discovery_date": "2026-05-27T12:42:28.395000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2481878"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker to reset the client\u0027s secret and potentially regain privileged API access. The primary impact includes unauthorized information disclosure and potential integrity compromise.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Attacker can re-enable and take over disabled clients via Registration Access Token",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A Moderate flaw was found in Keycloak where a disabled client can be re-enabled by an attacker who retains a Registration Access Token (RAT) from a prior legitimate client registration. This allows the attacker to bypass the administrator\u0027s explicit intent to disable the client, reset its secret, and restore OAuth client_credentials capability, potentially leading to unauthorized access to resources.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9705"
},
{
"category": "external",
"summary": "RHBZ#2481878",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481878"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9705",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9705"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9705",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9705"
}
],
"release_date": "2026-06-25T15:59:03.780000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:50:57+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30084"
},
{
"category": "workaround",
"details": "To mitigate this issue, restrict network access to the Keycloak Dynamic Client Registration endpoint. Configure network firewalls to allow connections only from trusted hosts or networks that legitimately require access to this functionality. This limits the exposure of the vulnerable endpoint to unauthorized access attempts.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Attacker can re-enable and take over disabled clients via Registration Access Token"
},
{
"acknowledgments": [
{
"names": [
"Andrej Tomci"
]
}
],
"cve": "CVE-2026-9795",
"cwe": {
"id": "CWE-266",
"name": "Incorrect Privilege Assignment"
},
"discovery_date": "2026-05-28T03:15:51.639000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482462"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client\u0027s scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user\u0027s authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Privilege escalation via improper scope mapping enforcement",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important privilege escalation flaw in Keycloak when Fine-Grained Admin Permissions (FGAPv2) are enabled. An attacker with fine-grained client management permissions can bypass role mapping restrictions, allowing them to inject arbitrary realm roles into a client\u0027s scope. Subsequent authentication by a privileged user through the compromised client would then project these injected roles into their token, leading to unauthorized access. Exploitation requires specific administrative preconditions and user interaction.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9795"
},
{
"category": "external",
"summary": "RHBZ#2482462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482462"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9795",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9795"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9795",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9795"
}
],
"release_date": "2026-05-28T03:16:49.326000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:50:57+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30084"
},
{
"category": "workaround",
"details": "To mitigate this issue, disable the Fine-Grained Admin Permissions (FGAPv2) feature in Keycloak if it is not strictly required. This can typically be done by setting `adminPermissionsEnabled` to `false` in the realm configuration. Disabling FGAPv2 will prevent the exploitation of this flaw by removing the vulnerable functionality. However, this may impact administrative delegation capabilities within Keycloak. A restart or reload of the Keycloak service may be required for the changes to take effect.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak: Privilege escalation via improper scope mapping enforcement"
},
{
"acknowledgments": [
{
"names": [
"Omaroo Baniessa"
]
}
],
"cve": "CVE-2026-9799",
"cwe": {
"id": "CWE-639",
"name": "Authorization Bypass Through User-Controlled Key"
},
"discovery_date": "2026-05-28T03:53:15.687000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482471"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. This allows the user to gain unauthorized access to all resources of that type within the same resource server, even if they do not have a ticket for those specific resources. This vulnerability requires the resource server to be configured in PERMISSIVE policy enforcement mode and affects typed resources with ownerManagedAccess enabled, where no explicit policy protects the resource type. The primary consequence is unauthorized information disclosure or modification of resources.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Unauthorized access to resources via UMA permission ticket bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A Medium severity flaw exists in Keycloak\u0027s authorization component where a user with a UMA permission ticket for a specific resource type can gain unauthorized access to all resources of that type. This bypass occurs when the resource server is configured with the non-default PERMISSIVE policy enforcement mode, has ownerManagedAccess enabled for typed resources, and lacks a covering policy for the resource type. Exploitation requires an authenticated user with an existing permission ticket, limiting its impact to specific, non-default Keycloak deployments.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9799"
},
{
"category": "external",
"summary": "RHBZ#2482471",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482471"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9799",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9799"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9799",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9799"
}
],
"release_date": "2026-05-19T12:34:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:50:57+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30084"
},
{
"category": "workaround",
"details": "To mitigate this issue, ensure that the Keycloak client\u0027s policy enforcement mode is set to ENFORCING instead of PERMISSIVE. The PERMISSIVE mode is a non-default configuration that enables the vulnerability. Changing this setting will prevent the unauthorized access to resources of the same type. Consult Keycloak documentation for specific instructions on configuring policy enforcement mode for your client. This change may require a restart or reload of the Keycloak service to take effect and could impact existing authorization policies if not carefully managed.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Unauthorized access to resources via UMA permission ticket bypass"
},
{
"acknowledgments": [
{
"names": [
"Bas Levering"
]
}
],
"cve": "CVE-2026-9800",
"cwe": {
"id": "CWE-1025",
"name": "Comparison Using Wrong Factors"
},
"discovery_date": "2026-05-28T03:57:56.111000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482472"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak Policy Enforcer: Authorization bypass via incorrect URI comparison",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9800"
},
{
"category": "external",
"summary": "RHBZ#2482472",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482472"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9800",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9800"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9800",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9800"
}
],
"release_date": "2026-05-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:50:57+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30084"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak Policy Enforcer: Authorization bypass via incorrect URI comparison"
},
{
"acknowledgments": [
{
"names": [
"Bilal Teke"
]
}
],
"cve": "CVE-2026-11800",
"cwe": {
"id": "CWE-347",
"name": "Improper Verification of Cryptographic Signature"
},
"discovery_date": "2026-06-09T05:06:35.697000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487006"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to impersonate any federated user linked to the affected Identity Provider, leading to unauthorized access and potential privilege escalation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak:keycloak-services: Keycloak: Authentication bypass via JWT algorithm confusion",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-11800"
},
{
"category": "external",
"summary": "RHBZ#2487006",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487006"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-11800",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-11800"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-11800",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11800"
}
],
"release_date": "2026-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:50:57+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30084"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.6:rhbk/keycloak-operator-bundle@sha256:8e800f8ab196c4bbbaf4397e438a2e02e7dc9fd588feb6a6a813f730ab65b0ec_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:2e00190cd88d026765df408d00a63cee8ceb3cd27ddb43e41b37c85936f4e926_amd64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:c88a14bcd41b509c2f10713403d6a3cde9a9d2e6f78311de43a9b3090f7fcb94_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:d14691fa2b04762df8e788c63104611b75714f671604347347afb7f27ec6e592_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9-operator@sha256:e0ff01fb6339ac11a495514a23a71a78bd947809fa0c9bc1a3bda7cdb59bc9ed_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:20440d38f4f71719a27184eeb8eca059dd39fa6c975dfa57529af586bbe7db11_ppc64le",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:4c7d38f4d628edcb59a1f066487f60c3874633d29c9aa0aaa5edd73ef0c5d9e3_arm64",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:df587be8cab83d8da4cbc7e9d4e6ffcaa5cd779027238d51ee462941a680142e_s390x",
"9Base-RHBK-26.6:rhbk/keycloak-rhel9@sha256:ffedd9c68012f3ce5e6d3287775c589fcbe5ba6858afc6b2fd47663fce4b138b_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "org.keycloak:keycloak-services: Keycloak: Authentication bypass via JWT algorithm confusion"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…