SB2026062907 - Multiple vulnerabilities in Keycloak
Published: June 29, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 vulnerabilities.
1) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2026-11800)
CWE-ID: CWE-347 - Improper Verification of Cryptographic Signature
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to bypass signature verification and obtain unauthorized access tokens.
The vulnerability exists due to improper verification of cryptographic signature in the JWT Authorization Grant flow when processing forged JWT assertions. A remote user can forge an assertion to bypass signature verification and obtain unauthorized access tokens.
The issue can allow impersonation of any federated user linked to the affected identity provider.
2) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-9799)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information or modify resources.
The vulnerability exists due to improper access control in org.keycloak.authorization when processing a permission request with a specific prefix. A remote user can use a granted User-Managed Access (UMA) permission ticket for one resource to bypass per-resource access control and disclose sensitive information or modify resources.
The issue affects typed resources with ownerManagedAccess enabled when the same resource server is configured in PERMISSIVE policy enforcement mode and no explicit policy protects the resource type. User interaction is required.
3) Incorrect Privilege Assignment (CVE-ID: CVE-2026-9795)
CWE-ID: CWE-266 - Incorrect Privilege Assignment
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to improper scope mapping enforcement in the Fine-Grained Admin Permissions (FGAPv2) feature when managing client scope mappings. A remote privileged user can assign arbitrary realm roles, including highly privileged roles, to a client's scope mapping to escalate privileges.
User interaction is required when a user accesses the modified client, causing the injected role to be projected into the authentication token.
4) Insufficient Session Expiration (CVE-ID: CVE-2026-9705)
CWE-ID: CWE-613 - Insufficient Session Expiration
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to disclose sensitive information and compromise integrity.
The vulnerability exists due to insufficient session expiration in the client registration service when processing requests with a previously issued registration access token. A remote attacker can use a stale registration access token to re-enable a disabled client and reset its secret to disclose sensitive information and compromise integrity.
Exploitation requires possession of a previously issued registration access token for the client.
5) Cross-site scripting (CVE-ID: CVE-2026-9086)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary code in the Keycloak origin.
The vulnerability exists due to cross-site scripting in client URI validation when processing a specially crafted redirect URI with a case-insensitive javascript: or data: scheme. A remote user can register a malicious client and supply a crafted link to execute arbitrary code in the Keycloak origin.
User interaction is required to click the crafted link, such as during the logout flow or in the Admin Console.
6) Path traversal (CVE-ID: CVE-2026-9083)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to path traversal in the key provider component creation keystore parameter when creating a key provider component. A remote privileged user can submit an arbitrary filesystem path as a keystore parameter to disclose sensitive information.
The issue allows probing arbitrary filesystem paths to determine which files exist and are readable by the Keycloak process.
7) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-9099)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to escalate privileges and compromise administrative accounts.
The vulnerability exists due to improper access control in the GroupResource.addChild() endpoint within the Admin REST API when handling group reparenting requests. A remote privileged user can reparent a highly privileged group under a managed low-privilege group to escalate privileges and compromise administrative accounts.
Only instances with Fine-Grained Admin Permissions v2 enabled are vulnerable to the described privilege inheritance abuse.
Remediation
Install update from vendor's website.
References
- https://github.com/keycloak/keycloak/security/advisories/GHSA-j97h-3f8r-mrjr
- https://github.com/keycloak/keycloak/security/advisories/GHSA-w3p3-7cjg-vgfw
- https://github.com/keycloak/keycloak/security/advisories/GHSA-32h4-44jj-c5vx
- https://github.com/keycloak/keycloak/security/advisories/GHSA-r7rc-c989-86g6
- https://github.com/keycloak/keycloak/security/advisories/GHSA-v3f7-2p4r-mwfw
- https://github.com/keycloak/keycloak/security/advisories/GHSA-9jrw-8xf7-xqhq
- https://github.com/keycloak/keycloak/security/advisories/GHSA-2qxf-v3g6-73v9