Skip to main content

Keycloak CVE-2026-11800

| EUVDEUVD-2026-39567 HIGH
Improper Verification of Cryptographic Signature (CWE-347)
2026-06-25 redhat GHSA-gqj5-2xp5-3qmp
8.1
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.1 HIGH

Network-reachable, low-complexity flow needing valid client credentials (PR:L); forged tokens enable impersonation giving high confidentiality and integrity impact, no availability effect.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Red Hat
8.1 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jun 25, 2026 - 21:54 vuln.today

DescriptionCVE.org

A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to impersonate any federated user linked to the affected Identity Provider, leading to unauthorized access and potential privilege escalation.

AnalysisAI

Signature-verification bypass in Keycloak (and Red Hat's Keycloak-based products such as Red Hat Single Sign-On 7 and Red Hat Build of Keycloak 26.6/26.6.4) lets an attacker holding valid client credentials abuse a JWT algorithm-confusion weakness in the JWT Authorization Grant flow to forge client assertions and mint unauthorized access tokens. The forged tokens allow impersonation of any federated user tied to the affected Identity Provider, yielding unauthorized access and potential privilege escalation. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid client credentials
Delivery
Craft forged JWT assertion (algorithm confusion)
Exploit
Submit to JWT Authorization Grant flow
Execution
Bypass signature verification
Persist
Mint impersonation access token
Impact
Access resources as federated user / escalate

Vulnerability AssessmentAI

Exploitation Requires the attacker to already possess valid client credentials for the Keycloak/RH-SSO deployment (CVSS PR:L) and requires that the JWT Authorization Grant (JWT bearer assertion) client-authentication flow be in use with at least one Identity Provider configured for federated users - that federation linkage is what the impersonation targets. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, score 8.1) describes a network-reachable, low-complexity attack requiring some privileges (PR:L - valid client credentials) and no user interaction, with high confidentiality and integrity impact and no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained valid client credentials for a Keycloak/RH-SSO client crafts a JWT client assertion that exploits the algorithm-confusion weakness so that Keycloak accepts a forged signature in the JWT Authorization Grant flow. Using that forged assertion, the attacker obtains access tokens that impersonate arbitrary federated users linked to the Identity Provider, then uses those tokens to reach downstream applications as the victim. …
Remediation Patch available per vendor advisory: apply the fixed packages delivered in Red Hat errata RHSA-2026:30083 (https://access.redhat.com/errata/RHSA-2026:30083) and RHSA-2026:30084 (https://access.redhat.com/errata/RHSA-2026:30084), and consult https://access.redhat.com/security/cve/CVE-2026-11800 and https://bugzilla.redhat.com/show_bug.cgi?id=2487006 for the exact fixed versions for your specific product (Red Hat Build of Keycloak, RH-SSO 7, JBoss EAP Expansion Pack, Data Grid 8); no exact upstream fixed version number was provided in the input, so do not assume one. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Keycloak and Red Hat Single Sign-On 7 deployments; document federated identity providers, connected client applications, and credential holders. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2013-3900 MEDIUM
5.5 Dec 11

Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update

CVE-2026-48558 CRITICAL POC
9.5 Jun 12

Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke

CVE-2025-59718 CRITICAL
9.8 Dec 09

Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to

CVE-2025-25291 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2025-25292 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2022-25898 CRITICAL POC
9.8 Jul 01

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT

CVE-2024-42004 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti

CVE-2024-41145 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27

CVE-2024-41138 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-35929 CRITICAL POC
9.8 Aug 04

cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote

CVE-2022-31053 CRITICAL POC
9.8 Jun 13

Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)

Vendor StatusVendor

Share

CVE-2026-11800 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy