Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from Vendor (redhat).
CVSS VectorVendor: redhat
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 70 maven packages depend on org.keycloak:keycloak-services (36 direct, 34 indirect)
Ecosystem-wide dependent count for version 26.6.3.
DescriptionCVE.org
A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that the newly created credential's parameters, such as public key algorithms, match the realm's configured WebAuthn policies. This could lead to the creation of credentials that do not adhere to administrative security requirements, potentially weakening the overall security posture of the system by allowing non-compliant authentication methods.
AnalysisAI
WebAuthn policy enforcement bypass in Red Hat Build of Keycloak allows low-privileged authenticated users to register credentials that violate administrator-configured realm security policies. The server-side processAction() method does not validate that newly registered WebAuthn credential parameters - such as public key algorithms - conform to the realm's defined WebAuthn policies, enabling a user to manipulate client-side JavaScript during the registration flow to submit non-compliant credential data. No public exploit has been identified at time of analysis; exploitation requires an authenticated session and is limited to integrity impact (policy bypass), with no direct confidentiality or availability consequence.
Technical ContextAI
Keycloak is Red Hat's Identity and Access Management platform, widely deployed for OIDC/SAML-based SSO and increasingly used with FIDO2/WebAuthn for passwordless authentication. WebAuthn allows servers to enforce policies over acceptable public key algorithms (e.g., ES256, RS256) and authenticator attestation. CWE-603 ('Use of Client-Side Authentication') is the root cause here: the server delegates policy enforcement logic to the client side during credential registration, but fails to re-verify the submitted credential parameters server-side in processAction(). An attacker can tamper with the JavaScript payload to submit credential parameters using a weaker or policy-disallowed algorithm, and the server accepts the registration without cross-checking against realm WebAuthn policy. The affected product is identified by CPE cpe:2.3:a:red_hat:red_hat_build_of_keycloak:*:*:*:*:*:*:*:*, indicating all tracked versions of the Red Hat Build of Keycloak are in scope.
RemediationAI
No vendor-released patched version is identified from available data at time of analysis. Organizations should monitor https://access.redhat.com/security/cve/CVE-2026-8830 for patch releases and apply any issued errata for Red Hat Build of Keycloak promptly. As a compensating control, administrators should audit existing WebAuthn credentials registered in affected realms to verify algorithm compliance, using Keycloak's admin console or REST API to inspect registered authenticator data. If non-compliant credentials are found, forced re-registration can be mandated by revoking the offending credentials. Additionally, restricting which users can self-register WebAuthn credentials (limiting enrollment to administrator-initiated flows where server-side policy enforcement can be independently verified) reduces the attack surface. Note that forced re-registration may temporarily disrupt users relying on those credentials. Consult https://bugzilla.redhat.com/show_bug.cgi?id=2479565 for upstream fix progress.
More in Red Hat Build Of Keycloak
View allAuthorization bypass in the Keycloak Policy Enforcer allows any authenticated user to circumvent all enforced access con
Signature-verification bypass in Keycloak (and Red Hat's Keycloak-based products such as Red Hat Single Sign-On 7 and Re
Open redirect in Red Hat build of Keycloak permits remote attackers to send victims to attacker-controlled hosts by abus
Identity linking bypass in Red Hat build of Keycloak allows an attacker controlling a second account on the same upstrea
Authenticated users with uma_protection role in Red Hat Keycloak can bypass User-Managed Access policy validation to gai
Privilege escalation in Keycloak (Red Hat Build of Keycloak) lets an authenticated delegated admin with management right
Denial of service in Red Hat build of Keycloak allows remote unauthenticated attackers to exhaust CPU and worker threads
Denial of Service in Red Hat Build of Keycloak allows unauthenticated remote attackers to exhaust server resources by su
Session fixation in Keycloak's login-actions endpoints allows remote attackers to hijack authenticated sessions and take
Authorization code forgery in Red Hat Keycloak enables unauthenticated attackers to escalate privileges to admin-level a
Stored Cross-Site Scripting in Red Hat Build of Keycloak lets an authenticated administrator with `manage-client` permis
Open redirect in Red Hat Build of Keycloak allows authenticated attackers with control over another path on the same web
Same weakness CWE-603 – Use of Client-Side Authentication
View allSame technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30841
GHSA-g8vr-x4qh-25qg