Skip to main content

Red Hat Keycloak CVE-2026-14781

| EUVDEUVD-2026-41732 MEDIUM
Improper Validation of Consistency within Input (CWE-1288)
2026-07-05 redhat GHSA-c96p-56gh-3pvw
4.8
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
4.8 MEDIUM

AV:N reflects network-delivered OIDC flow; AC:H captures the hard prerequisite of controlling the upstream identity provider; PR:N as attacker holds no Keycloak privileges; C:L/I:L for email-flag integrity manipulation with downstream account-linkage risk.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
Red Hat
4.8 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
Jul 05, 2026 - 07:21 vuln.today

DescriptionCVE.org

A flaw exists in the org.keycloak.broker.oidc package where the OIDC broker incorrectly synchronizes the email_verified claim. When an OIDC identity provider is configured with trustEmail=true and the userinfo endpoint is enabled, Keycloak retrieves the email address from the userinfo response but retrieves the email_verified status exclusively from the id_token. The root cause is a lack of validation ensuring that the email_verified claim in the id_token actually refers to the email address returned by the userinfo endpoint. If these two sources return different email addresses, the id_token's email_verified=true claim is blindly applied to the userinfo email. Exploitation Conditions: The OIDC identity provider must have trustEmail set to true (non-default).

The userinfo endpoint must be enabled (default).

The attacker must control or have compromised the upstream OIDC provider.

Concrete Impact: Mark arbitrary email addresses as verified in the Keycloak database.

Bypass email-based security controls or verification workflows.

Potential account takeover if the application relies solely on the email_verified flag from the IdP to link accounts.

AnalysisAI

Keycloak's OIDC broker incorrectly applies the email_verified claim from the id_token to whichever email address is returned by the userinfo endpoint, even when those two sources disagree. An attacker who controls or compromises an upstream OIDC identity provider can exploit this desynchronization - configured with trustEmail=true - to mark an arbitrary, attacker-chosen email address as verified in Keycloak's database. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Control or compromise upstream OIDC identity provider
Delivery
Craft authentication response with divergent id_token email and userinfo email
Exploit
Trigger Keycloak OIDC broker authentication flow
Execution
Keycloak applies id_token email_verified=true to userinfo-sourced email
Persist
Victim email address marked verified in Keycloak database
Impact
Exploit verified email for account linking or bypass email verification gate

Vulnerability AssessmentAI

Exploitation Exploitation requires two non-trivial preconditions to be simultaneously satisfied. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 4.8 (Medium) with vector AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N is broadly consistent with the actual risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls a malicious (or has compromised a legitimate) upstream OIDC provider configured as an identity provider in a Keycloak deployment with trustEmail=true crafts authentication responses where the id_token contains email_verified=true for attacker@attacker.com, while the userinfo endpoint returns the email of a victim user, victim@organization.com. When a login flow is processed, Keycloak retrieves victim@organization.com from userinfo and blindly applies the email_verified=true from the id_token, permanently marking victim@organization.com as verified in the Keycloak database. …
Remediation Consult the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-14781 and the associated Bugzilla tracker at https://bugzilla.redhat.com/show_bug.cgi?id=2497118 for patched release versions - no specific fix version was confirmed in the available intelligence data at time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-9800 HIGH
8.1 Jun 25

Authorization bypass in the Keycloak Policy Enforcer allows any authenticated user to circumvent all enforced access con

CVE-2026-11800 HIGH
8.1 Jun 25

Signature-verification bypass in Keycloak (and Red Hat's Keycloak-based products such as Red Hat Single Sign-On 7 and Re

CVE-2026-7504 HIGH
8.1 May 19

Open redirect in Red Hat build of Keycloak permits remote attackers to send victims to attacker-controlled hosts by abus

CVE-2026-9087 HIGH
8.1 May 20

Identity linking bypass in Red Hat build of Keycloak allows an attacker controlling a second account on the same upstrea

CVE-2026-4636 HIGH
8.1 Apr 02

Authenticated users with uma_protection role in Red Hat Keycloak can bypass User-Managed Access policy validation to gai

CVE-2026-9099 HIGH
7.7 Jun 25

Privilege escalation in Keycloak (Red Hat Build of Keycloak) lets an authenticated delegated admin with management right

CVE-2026-7307 HIGH
7.5 May 19

Denial of service in Red Hat build of Keycloak allows remote unauthenticated attackers to exhaust CPU and worker threads

CVE-2026-4634 HIGH
7.5 Apr 02

Denial of Service in Red Hat Build of Keycloak allows unauthenticated remote attackers to exhaust server resources by su

CVE-2026-7507 HIGH
7.5 May 19

Session fixation in Keycloak's login-actions endpoints allows remote attackers to hijack authenticated sessions and take

CVE-2026-4282 HIGH
7.4 Apr 02

Authorization code forgery in Red Hat Keycloak enables unauthenticated attackers to escalate privileges to admin-level a

CVE-2026-9086 HIGH
7.3 Jun 25

Stored Cross-Site Scripting in Red Hat Build of Keycloak lets an authenticated administrator with `manage-client` permis

CVE-2026-3872 HIGH
7.3 Apr 02

Open redirect in Red Hat Build of Keycloak allows authenticated attackers with control over another path on the same web

Vendor StatusVendor

Share

CVE-2026-14781 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy