RHSA-2026:30083
Vulnerability from csaf_redhat - Published: 2026-06-25 18:47 - Updated: 2026-06-26 06:46Summary
Red Hat Security Advisory: Red Hat build of Keycloak 26.6.4 Security Update
Severity
Important
Notes
Topic: New Red Hat build of Keycloak 26.6.4 packages are available from the Customer Portal
Details: Red Hat build of Keycloak 26.6.4 is a standalone server, based on
the Keycloak project, that provides authentication and
standards-based single sign-on capabilities for web and mobile
applications.
Security fixes:
* Information disclosure via CORS header injection due to unvalidated JWT azp claim (CVE-2026-37977)
* Server-Side Request Forgery via OIDC token endpoint manipulation (CVE-2026-4874)
* eclipse-vertx/vert.x: Denial of Service via TLS handshake with wildcard server name (CVE-2026-6860)
* Improper Access Control on Keycloak Server when the account Account API feature is disabled (CVE-2026-7500)
* Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation (CVE-2026-8830)
* Security flaw in org.keycloak/keycloak-services (CVE-2026-8922)
* Information disclosure through arbitrary filesystem path probing (CVE-2026-9083)
* Cross-site scripting (XSS) via case-insensitive URI validation bypass (CVE-2026-9086)
* Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login (CVE-2026-9087)
* Information disclosure due to user profile permission bypass (CVE-2026-9088)
* Group-Admin Escalation to Realm-Admin (CVE-2026-9099)
* Privilege escalation due to oversized subject_token JWT (CVE-2026-9704)
* Attacker can re-enable and take over disabled clients via Registration Access Token (CVE-2026-9705)
* Organization Data Leak After Feature Disabled in Keycloak (CVE-2026-9791)
* Security restriction bypass allows unauthorized ROPC token acquisition (CVE-2026-9792)
* Information disclosure via SAML ECP endpoint (CVE-2026-9794)
* Privilege escalation via improper scope mapping enforcement (CVE-2026-9795)
* Unauthorized access to resources via UMA permission ticket bypass (CVE-2026-9799)
* Authorization bypass via incorrect URI comparison (CVE-2026-9800)
* Denial of Service via malformed LDAP password policy response (CVE-2026-9801)
* Unauthorized account access via replayed refresh tokens after cluster restart (CVE-2026-9802)
* Denial of Service via malformed Authorization header (CVE-2026-9803)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in eclipse-vertx/vert.x. A remote attacker can exploit this vulnerability by performing a Transport Layer Security (TLS) handshake and presenting a server name extension with a server wildcard name. This can lead to a denial of service (DoS) condition, impacting the availability of the affected system.
5.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.4
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining which files exist and are readable by the Keycloak process. This information disclosure could be used to identify high-value targets for follow-on attacks.
4.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.4
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.4
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group. Because group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.
7.7 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.4
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker to reset the client's secret and potentially regain privileged API access. The primary impact includes unauthorized information disclosure and potential integrity compromise.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.4
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user's authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.
7.3 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.4
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. This allows the user to gain unauthorized access to all resources of that type within the same resource server, even if they do not have a ticket for those specific resources. This vulnerability requires the resource server to be configured in PERMISSIVE policy enforcement mode and affects typed resources with ownerManagedAccess enabled, where no explicit policy protects the resource type. The primary consequence is unauthorized information disclosure or modification of resources.
4.6 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.4
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.4
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to impersonate any federated user linked to the affected Identity Provider, leading to unauthorized access and potential privilege escalation.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.6.4
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.6::el9
|
— |
Vendor Fix
fix
|
Threats
Impact
Important
References
42 references
Acknowledgments
AxiomCode
Swapnil Paliwal & Security Team
saku0512
Qiulin Deng
Andrej Tomci
Omaroo Baniessa
Bas Levering
Bilal Teke
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New Red Hat build of Keycloak 26.6.4 packages are available from the Customer Portal",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat build of Keycloak 26.6.4 is a standalone server, based on\nthe Keycloak project, that provides authentication and\nstandards-based single sign-on capabilities for web and mobile\napplications.\n\nSecurity fixes:\n* Information disclosure via CORS header injection due to unvalidated JWT azp claim (CVE-2026-37977)\n* Server-Side Request Forgery via OIDC token endpoint manipulation (CVE-2026-4874)\n* eclipse-vertx/vert.x: Denial of Service via TLS handshake with wildcard server name (CVE-2026-6860)\n* Improper Access Control on Keycloak Server when the account Account API feature is disabled (CVE-2026-7500)\n* Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation (CVE-2026-8830)\n* Security flaw in org.keycloak/keycloak-services (CVE-2026-8922)\n* Information disclosure through arbitrary filesystem path probing (CVE-2026-9083)\n* Cross-site scripting (XSS) via case-insensitive URI validation bypass (CVE-2026-9086)\n* Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login (CVE-2026-9087)\n* Information disclosure due to user profile permission bypass (CVE-2026-9088)\n* Group-Admin Escalation to Realm-Admin (CVE-2026-9099)\n* Privilege escalation due to oversized subject_token JWT (CVE-2026-9704)\n* Attacker can re-enable and take over disabled clients via Registration Access Token (CVE-2026-9705)\n* Organization Data Leak After Feature Disabled in Keycloak (CVE-2026-9791)\n* Security restriction bypass allows unauthorized ROPC token acquisition (CVE-2026-9792)\n* Information disclosure via SAML ECP endpoint (CVE-2026-9794)\n* Privilege escalation via improper scope mapping enforcement (CVE-2026-9795)\n* Unauthorized access to resources via UMA permission ticket bypass (CVE-2026-9799)\n* Authorization bypass via incorrect URI comparison (CVE-2026-9800)\n* Denial of Service via malformed LDAP password policy response (CVE-2026-9801)\n* Unauthorized account access via replayed refresh tokens after cluster restart (CVE-2026-9802)\n* Denial of Service via malformed Authorization header (CVE-2026-9803)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:30083",
"url": "https://access.redhat.com/errata/RHSA-2026:30083"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_30083.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Keycloak 26.6.4 Security Update",
"tracking": {
"current_release_date": "2026-06-26T06:46:45+00:00",
"generator": {
"date": "2026-06-26T06:46:45+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "5.2.5"
}
},
"id": "RHSA-2026:30083",
"initial_release_date": "2026-06-25T18:47:39+00:00",
"revision_history": [
{
"date": "2026-06-25T18:47:39+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-06-25T18:47:39+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-06-26T06:46:45+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Keycloak 26.6.4",
"product": {
"name": "Red Hat build of Keycloak 26.6.4",
"product_id": "Red Hat build of Keycloak 26.6.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:build_keycloak:26.6::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Keycloak"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-6860",
"cwe": {
"id": "CWE-770",
"name": "Allocation of Resources Without Limits or Throttling"
},
"discovery_date": "2026-05-06T10:01:43.929832+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2466990"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in eclipse-vertx/vert.x. A remote attacker can exploit this vulnerability by performing a Transport Layer Security (TLS) handshake and presenting a server name extension with a server wildcard name. This can lead to a denial of service (DoS) condition, impacting the availability of the affected system.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "eclipse-vertx/vert.x: eclipse-vertx/vert.x: Denial of Service via TLS handshake with wildcard server name",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw is rated as Moderate because a remote attacker can trigger a denial of service in Red Hat products that use `eclipse-vertx/vert.x` and are configured with TLS wildcard server names. Exploitation occurs during the TLS handshake, impacting service availability without affecting data confidentiality or integrity.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-6860"
},
{
"category": "external",
"summary": "RHBZ#2466990",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2466990"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-6860",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6860"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-6860",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6860"
},
{
"category": "external",
"summary": "https://github.com/eclipse-vertx/vert.x/pull/6102",
"url": "https://github.com/eclipse-vertx/vert.x/pull/6102"
},
{
"category": "external",
"summary": "https://github.com/eclipse-vertx/vert.x/security/advisories/GHSA-3g76-f9xq-8vp6",
"url": "https://github.com/eclipse-vertx/vert.x/security/advisories/GHSA-3g76-f9xq-8vp6"
},
{
"category": "external",
"summary": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/381",
"url": "https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/381"
}
],
"release_date": "2026-05-06T09:55:12.531000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:47:39+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30083"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "eclipse-vertx/vert.x: eclipse-vertx/vert.x: Denial of Service via TLS handshake with wildcard server name"
},
{
"acknowledgments": [
{
"names": [
"Swapnil Paliwal \u0026 Security Team"
],
"organization": "AxiomCode"
}
],
"cve": "CVE-2026-9083",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2026-05-20T14:11:24.606000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480168"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A realm administrator with the \"manage-realm\" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining which files exist and are readable by the Keycloak process. This information disclosure could be used to identify high-value targets for follow-on attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Information disclosure through arbitrary filesystem path probing",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Medium: This flaw in Keycloak allows a highly privileged realm administrator with the \"manage-realm\" role to perform arbitrary filesystem path probing. By submitting a crafted keystore path, an authenticated attacker can determine the existence and readability of files on the Keycloak server, potentially identifying high-value targets for further attacks. Exploitation requires an attacker to possess the \"manage-realm\" role, which is a high-level administrative permission.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9083"
},
{
"category": "external",
"summary": "RHBZ#2480168",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480168"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9083",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9083"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9083",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9083"
}
],
"release_date": "2026-06-25T15:58:16.784000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:47:39+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30083"
},
{
"category": "workaround",
"details": "Ensure that only highly trusted administrators are granted the \"manage-realm\" role within Keycloak. This role provides extensive administrative privileges, including the ability to exploit this vulnerability for filesystem probing. Regularly review and audit users assigned to this role to minimize the attack surface.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Information disclosure through arbitrary filesystem path probing"
},
{
"acknowledgments": [
{
"names": [
"saku0512"
]
}
],
"cve": "CVE-2026-9086",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2026-05-20T14:43:55.195000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480170"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive `javascript:` or `data:` scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Cross-site scripting (XSS) via case-insensitive URI validation bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This flaw is rated as High. Keycloak\u0027s client URI validation is vulnerable to a case-insensitivity issue, allowing attackers to bypass scheme blocklists by using mixed-case `javascript:` or `data:` URIs. This can lead to cross-site scripting (XSS) in the Keycloak origin when a victim interacts with a crafted link, such as during the logout flow. Exploitation requires an authenticated administrator with `manage-client` privileges or access to client registration endpoints, and user interaction.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9086"
},
{
"category": "external",
"summary": "RHBZ#2480170",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480170"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9086",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9086"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9086",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9086"
}
],
"release_date": "2026-06-25T15:58:33.359000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:47:39+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30083"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, restrict the ability to register new clients and manage existing client configurations. If Dynamic Client Registration is not required, disable it in Keycloak\u0027s Realm Settings under Client Registration Policies. If Dynamic Client Registration is necessary, ensure that policies are strictly configured to prevent anonymous client registration and require initial access tokens for all client registrations. Additionally, limit the `manage-client` role to only trusted administrators. Changes to Keycloak configuration may require a service restart or redeployment to take effect.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak: Cross-site scripting (XSS) via case-insensitive URI validation bypass"
},
{
"cve": "CVE-2026-9099",
"cwe": {
"id": "CWE-639",
"name": "Authorization Bypass Through User-Controlled Key"
},
"discovery_date": "2026-05-20T15:05:54.381000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2480182"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group.\n\nBecause group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator\u0027s password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Group-Admin Escalation to Realm-Admin",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability is rated as High impact. When Fine-Grained Admin Permissions (FGAPv2) are enabled in Keycloak, a delegated administrator with specific `manage-members` permissions on a low-privilege group can bypass authorization checks to reparent any other group, including those with `realm-admin` roles. This allows the attacker to reset passwords of members in the stolen group, leading to a full realm takeover.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9099"
},
{
"category": "external",
"summary": "RHBZ#2480182",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2480182"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9099",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9099"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9099",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9099"
}
],
"release_date": "2026-06-25T15:58:51.884000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:47:39+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30083"
},
{
"category": "workaround",
"details": "To mitigate this issue, restrict network access to the Keycloak Admin REST API to only trusted networks or localhost. This limits the attack surface by preventing unauthorized access to the API endpoints required for exploitation. Consult your network security documentation for specific firewall or network access control configurations. This may impact remote administration capabilities.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Group-Admin Escalation to Realm-Admin"
},
{
"acknowledgments": [
{
"names": [
"Qiulin Deng"
]
}
],
"cve": "CVE-2026-9705",
"cwe": {
"id": "CWE-613",
"name": "Insufficient Session Expiration"
},
"discovery_date": "2026-05-27T12:42:28.395000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2481878"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker to reset the client\u0027s secret and potentially regain privileged API access. The primary impact includes unauthorized information disclosure and potential integrity compromise.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Attacker can re-enable and take over disabled clients via Registration Access Token",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A Moderate flaw was found in Keycloak where a disabled client can be re-enabled by an attacker who retains a Registration Access Token (RAT) from a prior legitimate client registration. This allows the attacker to bypass the administrator\u0027s explicit intent to disable the client, reset its secret, and restore OAuth client_credentials capability, potentially leading to unauthorized access to resources.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9705"
},
{
"category": "external",
"summary": "RHBZ#2481878",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481878"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9705",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9705"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9705",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9705"
}
],
"release_date": "2026-06-25T15:59:03.780000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:47:39+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30083"
},
{
"category": "workaround",
"details": "To mitigate this issue, restrict network access to the Keycloak Dynamic Client Registration endpoint. Configure network firewalls to allow connections only from trusted hosts or networks that legitimately require access to this functionality. This limits the exposure of the vulnerable endpoint to unauthorized access attempts.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Attacker can re-enable and take over disabled clients via Registration Access Token"
},
{
"acknowledgments": [
{
"names": [
"Andrej Tomci"
]
}
],
"cve": "CVE-2026-9795",
"cwe": {
"id": "CWE-266",
"name": "Incorrect Privilege Assignment"
},
"discovery_date": "2026-05-28T03:15:51.639000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482462"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client\u0027s scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user\u0027s authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Privilege escalation via improper scope mapping enforcement",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is an Important privilege escalation flaw in Keycloak when Fine-Grained Admin Permissions (FGAPv2) are enabled. An attacker with fine-grained client management permissions can bypass role mapping restrictions, allowing them to inject arbitrary realm roles into a client\u0027s scope. Subsequent authentication by a privileged user through the compromised client would then project these injected roles into their token, leading to unauthorized access. Exploitation requires specific administrative preconditions and user interaction.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9795"
},
{
"category": "external",
"summary": "RHBZ#2482462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482462"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9795",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9795"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9795",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9795"
}
],
"release_date": "2026-05-28T03:16:49.326000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:47:39+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30083"
},
{
"category": "workaround",
"details": "To mitigate this issue, disable the Fine-Grained Admin Permissions (FGAPv2) feature in Keycloak if it is not strictly required. This can typically be done by setting `adminPermissionsEnabled` to `false` in the realm configuration. Disabling FGAPv2 will prevent the exploitation of this flaw by removing the vulnerable functionality. However, this may impact administrative delegation capabilities within Keycloak. A restart or reload of the Keycloak service may be required for the changes to take effect.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak: Privilege escalation via improper scope mapping enforcement"
},
{
"acknowledgments": [
{
"names": [
"Omaroo Baniessa"
]
}
],
"cve": "CVE-2026-9799",
"cwe": {
"id": "CWE-639",
"name": "Authorization Bypass Through User-Controlled Key"
},
"discovery_date": "2026-05-28T03:53:15.687000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482471"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. This allows the user to gain unauthorized access to all resources of that type within the same resource server, even if they do not have a ticket for those specific resources. This vulnerability requires the resource server to be configured in PERMISSIVE policy enforcement mode and affects typed resources with ownerManagedAccess enabled, where no explicit policy protects the resource type. The primary consequence is unauthorized information disclosure or modification of resources.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Unauthorized access to resources via UMA permission ticket bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "A Medium severity flaw exists in Keycloak\u0027s authorization component where a user with a UMA permission ticket for a specific resource type can gain unauthorized access to all resources of that type. This bypass occurs when the resource server is configured with the non-default PERMISSIVE policy enforcement mode, has ownerManagedAccess enabled for typed resources, and lacks a covering policy for the resource type. Exploitation requires an authenticated user with an existing permission ticket, limiting its impact to specific, non-default Keycloak deployments.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9799"
},
{
"category": "external",
"summary": "RHBZ#2482471",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482471"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9799",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9799"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9799",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9799"
}
],
"release_date": "2026-05-19T12:34:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:47:39+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30083"
},
{
"category": "workaround",
"details": "To mitigate this issue, ensure that the Keycloak client\u0027s policy enforcement mode is set to ENFORCING instead of PERMISSIVE. The PERMISSIVE mode is a non-default configuration that enables the vulnerability. Changing this setting will prevent the unauthorized access to resources of the same type. Consult Keycloak documentation for specific instructions on configuring policy enforcement mode for your client. This change may require a restart or reload of the Keycloak service to take effect and could impact existing authorization policies if not carefully managed.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Unauthorized access to resources via UMA permission ticket bypass"
},
{
"acknowledgments": [
{
"names": [
"Bas Levering"
]
}
],
"cve": "CVE-2026-9800",
"cwe": {
"id": "CWE-1025",
"name": "Comparison Using Wrong Factors"
},
"discovery_date": "2026-05-28T03:57:56.111000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2482472"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak Policy Enforcer: Authorization bypass via incorrect URI comparison",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-9800"
},
{
"category": "external",
"summary": "RHBZ#2482472",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2482472"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-9800",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-9800"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-9800",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9800"
}
],
"release_date": "2026-05-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:47:39+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30083"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak Policy Enforcer: Authorization bypass via incorrect URI comparison"
},
{
"acknowledgments": [
{
"names": [
"Bilal Teke"
]
}
],
"cve": "CVE-2026-11800",
"cwe": {
"id": "CWE-347",
"name": "Improper Verification of Cryptographic Signature"
},
"discovery_date": "2026-06-09T05:06:35.697000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2487006"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to impersonate any federated user linked to the affected Identity Provider, leading to unauthorized access and potential privilege escalation.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak:keycloak-services: Keycloak: Authentication bypass via JWT algorithm confusion",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.6.4"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-11800"
},
{
"category": "external",
"summary": "RHBZ#2487006",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2487006"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-11800",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-11800"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-11800",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-11800"
}
],
"release_date": "2026-05-29T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-06-25T18:47:39+00:00",
"details": "Before applying the update, back up your existing installation,\nincluding all applications, configuration files, databases and\ndatabase settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.6.4"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:30083"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.6.4"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "org.keycloak:keycloak-services: Keycloak: Authentication bypass via JWT algorithm confusion"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…