Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
AV:N reflects network-delivered OIDC flow; AC:H captures the hard prerequisite of controlling the upstream identity provider; PR:N as attacker holds no Keycloak privileges; C:L/I:L for email-flag integrity manipulation with downstream account-linkage risk.
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
A flaw exists in the org.keycloak.broker.oidc package where the OIDC broker incorrectly synchronizes the email_verified claim. When an OIDC identity provider is configured with trustEmail=true and the userinfo endpoint is enabled, Keycloak retrieves the email address from the userinfo response but retrieves the email_verified status exclusively from the id_token. The root cause is a lack of validation ensuring that the email_verified claim in the id_token actually refers to the email address returned by the userinfo endpoint. If these two sources return different email addresses, the id_token's email_verified=true claim is blindly applied to the userinfo email. Exploitation Conditions: The OIDC identity provider must have trustEmail set to true (non-default).
The userinfo endpoint must be enabled (default).
The attacker must control or have compromised the upstream OIDC provider.
Concrete Impact: Mark arbitrary email addresses as verified in the Keycloak database.
Bypass email-based security controls or verification workflows.
Potential account takeover if the application relies solely on the email_verified flag from the IdP to link accounts.
AnalysisAI
Keycloak's OIDC broker incorrectly applies the email_verified claim from the id_token to whichever email address is returned by the userinfo endpoint, even when those two sources disagree. An attacker who controls or compromises an upstream OIDC identity provider can exploit this desynchronization - configured with trustEmail=true - to mark an arbitrary, attacker-chosen email address as verified in Keycloak's database. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two non-trivial preconditions to be simultaneously satisfied. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 4.8 (Medium) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N is broadly consistent with the actual risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who controls a malicious (or has compromised a legitimate) upstream OIDC provider configured as an identity provider in a Keycloak deployment with trustEmail=true crafts authentication responses where the id_token contains email_verified=true for attacker@attacker.com, while the userinfo endpoint returns the email of a victim user, victim@organization.com. When a login flow is processed, Keycloak retrieves victim@organization.com from userinfo and blindly applies the email_verified=true from the id_token, permanently marking victim@organization.com as verified in the Keycloak database. … |
| Remediation | Consult the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-14781 and the associated Bugzilla tracker at https://bugzilla.redhat.com/show_bug.cgi?id=2497118 for patched release versions - no specific fix version was confirmed in the available intelligence data at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Red Hat Build Of Keycloak
View allAuthorization bypass in the Keycloak Policy Enforcer allows any authenticated user to circumvent all enforced access con
Signature-verification bypass in Keycloak (and Red Hat's Keycloak-based products such as Red Hat Single Sign-On 7 and Re
Open redirect in Red Hat build of Keycloak permits remote attackers to send victims to attacker-controlled hosts by abus
Identity linking bypass in Red Hat build of Keycloak allows an attacker controlling a second account on the same upstrea
Authenticated users with uma_protection role in Red Hat Keycloak can bypass User-Managed Access policy validation to gai
Privilege escalation in Keycloak (Red Hat Build of Keycloak) lets an authenticated delegated admin with management right
Denial of service in Red Hat build of Keycloak allows remote unauthenticated attackers to exhaust CPU and worker threads
Denial of Service in Red Hat Build of Keycloak allows unauthenticated remote attackers to exhaust server resources by su
Session fixation in Keycloak's login-actions endpoints allows remote attackers to hijack authenticated sessions and take
Authorization code forgery in Red Hat Keycloak enables unauthenticated attackers to escalate privileges to admin-level a
Stored Cross-Site Scripting in Red Hat Build of Keycloak lets an authenticated administrator with `manage-client` permis
Open redirect in Red Hat Build of Keycloak allows authenticated attackers with control over another path on the same web
Same technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41732
GHSA-c96p-56gh-3pvw