Main Vulnerability Database Vulnerabilities #VU135687

Improper Verification of Cryptographic Signature in Keycloak - CVE-2026-11800

Published: June 29, 2026

Vulnerability identifier: #VU135687

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-11800

CWE-ID: CWE-347

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Keycloak

Affected software:
Keycloak

Detailed vulnerability description

The vulnerability allows a remote user to bypass signature verification and obtain unauthorized access tokens.

The vulnerability exists due to improper verification of cryptographic signature in the JWT Authorization Grant flow when processing forged JWT assertions. A remote user can forge an assertion to bypass signature verification and obtain unauthorized access tokens.

The issue can allow impersonation of any federated user linked to the affected identity provider.

How to mitigate CVE-2026-11800

Install security update from vendor's website.

Sources

https://github.com/keycloak/keycloak/security/advisories/GHSA-j97h-3f8r-mrjr

Improper Verification of Cryptographic Signature in Keycloak - CVE-2026-11800

Detailed vulnerability description

How to mitigate CVE-2026-11800

Sources

Please verify you're human