Skip to main content

Red Hat Keycloak CVE-2026-8830

| EUVDEUVD-2026-30841 MEDIUM
Use of Client-Side Authentication (CWE-603)
2026-05-19 redhat GHSA-g8vr-x4qh-25qg
4.3
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Red Hat
4.3 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 19, 2026 - 06:47 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 70 maven packages depend on org.keycloak:keycloak-services (36 direct, 34 indirect)

Ecosystem-wide dependent count for version 26.6.3.

DescriptionCVE.org

A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that the newly created credential's parameters, such as public key algorithms, match the realm's configured WebAuthn policies. This could lead to the creation of credentials that do not adhere to administrative security requirements, potentially weakening the overall security posture of the system by allowing non-compliant authentication methods.

AnalysisAI

WebAuthn policy enforcement bypass in Red Hat Build of Keycloak allows low-privileged authenticated users to register credentials that violate administrator-configured realm security policies. The server-side processAction() method does not validate that newly registered WebAuthn credential parameters - such as public key algorithms - conform to the realm's defined WebAuthn policies, enabling a user to manipulate client-side JavaScript during the registration flow to submit non-compliant credential data. No public exploit has been identified at time of analysis; exploitation requires an authenticated session and is limited to integrity impact (policy bypass), with no direct confidentiality or availability consequence.

Technical ContextAI

Keycloak is Red Hat's Identity and Access Management platform, widely deployed for OIDC/SAML-based SSO and increasingly used with FIDO2/WebAuthn for passwordless authentication. WebAuthn allows servers to enforce policies over acceptable public key algorithms (e.g., ES256, RS256) and authenticator attestation. CWE-603 ('Use of Client-Side Authentication') is the root cause here: the server delegates policy enforcement logic to the client side during credential registration, but fails to re-verify the submitted credential parameters server-side in processAction(). An attacker can tamper with the JavaScript payload to submit credential parameters using a weaker or policy-disallowed algorithm, and the server accepts the registration without cross-checking against realm WebAuthn policy. The affected product is identified by CPE cpe:2.3:a:red_hat:red_hat_build_of_keycloak:*:*:*:*:*:*:*:*, indicating all tracked versions of the Red Hat Build of Keycloak are in scope.

RemediationAI

No vendor-released patched version is identified from available data at time of analysis. Organizations should monitor https://access.redhat.com/security/cve/CVE-2026-8830 for patch releases and apply any issued errata for Red Hat Build of Keycloak promptly. As a compensating control, administrators should audit existing WebAuthn credentials registered in affected realms to verify algorithm compliance, using Keycloak's admin console or REST API to inspect registered authenticator data. If non-compliant credentials are found, forced re-registration can be mandated by revoking the offending credentials. Additionally, restricting which users can self-register WebAuthn credentials (limiting enrollment to administrator-initiated flows where server-side policy enforcement can be independently verified) reduces the attack surface. Note that forced re-registration may temporarily disrupt users relying on those credentials. Consult https://bugzilla.redhat.com/show_bug.cgi?id=2479565 for upstream fix progress.

CVE-2026-9800 HIGH
8.1 Jun 25

Authorization bypass in the Keycloak Policy Enforcer allows any authenticated user to circumvent all enforced access con

CVE-2026-11800 HIGH
8.1 Jun 25

Signature-verification bypass in Keycloak (and Red Hat's Keycloak-based products such as Red Hat Single Sign-On 7 and Re

CVE-2026-7504 HIGH
8.1 May 19

Open redirect in Red Hat build of Keycloak permits remote attackers to send victims to attacker-controlled hosts by abus

CVE-2026-9087 HIGH
8.1 May 20

Identity linking bypass in Red Hat build of Keycloak allows an attacker controlling a second account on the same upstrea

CVE-2026-4636 HIGH
8.1 Apr 02

Authenticated users with uma_protection role in Red Hat Keycloak can bypass User-Managed Access policy validation to gai

CVE-2026-9099 HIGH
7.7 Jun 25

Privilege escalation in Keycloak (Red Hat Build of Keycloak) lets an authenticated delegated admin with management right

CVE-2026-7307 HIGH
7.5 May 19

Denial of service in Red Hat build of Keycloak allows remote unauthenticated attackers to exhaust CPU and worker threads

CVE-2026-4634 HIGH
7.5 Apr 02

Denial of Service in Red Hat Build of Keycloak allows unauthenticated remote attackers to exhaust server resources by su

CVE-2026-7507 HIGH
7.5 May 19

Session fixation in Keycloak's login-actions endpoints allows remote attackers to hijack authenticated sessions and take

CVE-2026-4282 HIGH
7.4 Apr 02

Authorization code forgery in Red Hat Keycloak enables unauthenticated attackers to escalate privileges to admin-level a

CVE-2026-9086 HIGH
7.3 Jun 25

Stored Cross-Site Scripting in Red Hat Build of Keycloak lets an authenticated administrator with `manage-client` permis

CVE-2026-3872 HIGH
7.3 Apr 02

Open redirect in Red Hat Build of Keycloak allows authenticated attackers with control over another path on the same web

Vendor StatusVendor

Share

CVE-2026-8830 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy