Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Network-reachable, low-complexity flow needing valid client credentials (PR:L); forged tokens enable impersonation giving high confidentiality and integrity impact, no availability effect.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
1DescriptionCVE.org
A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to impersonate any federated user linked to the affected Identity Provider, leading to unauthorized access and potential privilege escalation.
AnalysisAI
Signature-verification bypass in Keycloak (and Red Hat's Keycloak-based products such as Red Hat Single Sign-On 7 and Red Hat Build of Keycloak 26.6/26.6.4) lets an attacker holding valid client credentials abuse a JWT algorithm-confusion weakness in the JWT Authorization Grant flow to forge client assertions and mint unauthorized access tokens. The forged tokens allow impersonation of any federated user tied to the affected Identity Provider, yielding unauthorized access and potential privilege escalation. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the attacker to already possess valid client credentials for the Keycloak/RH-SSO deployment (CVSS PR:L) and requires that the JWT Authorization Grant (JWT bearer assertion) client-authentication flow be in use with at least one Identity Provider configured for federated users - that federation linkage is what the impersonation targets. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, score 8.1) describes a network-reachable, low-complexity attack requiring some privileges (PR:L - valid client credentials) and no user interaction, with high confidentiality and integrity impact and no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has obtained valid client credentials for a Keycloak/RH-SSO client crafts a JWT client assertion that exploits the algorithm-confusion weakness so that Keycloak accepts a forged signature in the JWT Authorization Grant flow. Using that forged assertion, the attacker obtains access tokens that impersonate arbitrary federated users linked to the Identity Provider, then uses those tokens to reach downstream applications as the victim. … |
| Remediation | Patch available per vendor advisory: apply the fixed packages delivered in Red Hat errata RHSA-2026:30083 (https://access.redhat.com/errata/RHSA-2026:30083) and RHSA-2026:30084 (https://access.redhat.com/errata/RHSA-2026:30084), and consult https://access.redhat.com/security/cve/CVE-2026-11800 and https://bugzilla.redhat.com/show_bug.cgi?id=2487006 for the exact fixed versions for your specific product (Red Hat Build of Keycloak, RH-SSO 7, JBoss EAP Expansion Pack, Data Grid 8); no exact upstream fixed version number was provided in the input, so do not assume one. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all Keycloak and Red Hat Single Sign-On 7 deployments; document federated identity providers, connected client applications, and credential holders. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Jwt Attack
View allWhy is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update
Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke
Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT
A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti
A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27
A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote
Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)
Same technique Privilege Escalation
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-39567
GHSA-gqj5-2xp5-3qmp