What is the CVSS score of CVE-2026-9087?

CVE-2026-9087 has a CVSS 3.1 base score of 6.4 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Red Hat Keycloak CVE-2026-9087

EUVD-2026-31134 MEDIUM

Authorization Bypass Through User-Controlled Key (CWE-639)

2026-05-20 redhat

GHSA-m6qj-3mpp-57v8

Authentication Bypass Red Hat

6.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

May 20, 2026 - 17:31 vuln.today

DescriptionNVD

A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account.

AnalysisAI

Account takeover via IdP linking proof reuse in Red Hat Build of Keycloak allows an authenticated attacker with an account on the same external Identity Provider to hijack another user's local Keycloak account. The cross-session verification proof generated during the IdP account linking flow is scoped only to the tuple (local userId, idpAlias) and is not cryptographically bound to the specific upstream identity that completed verification, enabling a second IdP account - controlled by the attacker - to consume that proof and become linked to the victim's local account. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory