Skip to main content

Keycloak CVE-2026-9704

| EUVDEUVD-2026-32300 HIGH
Improper Validation of Specified Quantity in Input (CWE-1284)
2026-05-27 secalert@redhat.com GHSA-rr5q-3xwr-f323
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Remote token endpoint (AV:N), trivial oversized-JWT trick (AC:L), requires a low-privileged account (PR:L), no user interaction; escalation to service account yields full CIA within the realm.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Red Hat
6.8 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Jun 10, 2026 - 22:34 vuln.today
v3 (cvss_changed)
Analysis Updated
Jun 10, 2026 - 22:33 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jun 10, 2026 - 22:22 vuln.today
cvss_changed
Severity Changed
Jun 10, 2026 - 22:22 NVD
MEDIUM HIGH
CVSS changed
Jun 10, 2026 - 22:22 NVD
6.8 (MEDIUM) 8.8 (HIGH)
Analysis Generated
May 27, 2026 - 21:17 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 81 maven packages depend on org.keycloak:keycloak-server-spi-private (45 direct, 36 indirect)
  • 70 maven packages depend on org.keycloak:keycloak-services (36 direct, 34 indirect)

Ecosystem-wide dependent count for version 26.6.3 and other introduced versions.

DescriptionNVD

A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to fall back to client credentials. This allows the user to gain the permissions of the client's service account, leading to privilege escalation.

AnalysisAI

Privilege escalation in Red Hat Build of Keycloak allows low-privileged authenticated users to assume the permissions of a client's service account by submitting an oversized subject_token JWT to the TokenEndpoint. When the token exceeds the 4000-character limit it is silently discarded rather than rejected, causing the server to fall back to client-credentials authentication and grant the attacker the client's service-account scope. No public exploit identified at time of analysis and EPSS is very low (0.04%), but CVSS rates the issue 8.8 due to full CIA impact post-exploitation.

Technical ContextAI

Keycloak is Red Hat's open-source identity and access management server implementing OAuth 2.0, OIDC, and SAML, with the affected component being the OAuth2 TokenEndpoint that handles token exchange and grant processing. The root cause maps to CWE-1284 (Improper Validation of Specified Quantity in Input): the endpoint enforces a 4000-character ceiling on the subject_token parameter but, instead of returning an error when the limit is exceeded, silently drops the token and continues processing the request. Because token exchange requests typically also carry client credentials, the server then authenticates the request as the client itself and issues a token bound to the client's service account rather than the original subject - effectively converting a malformed delegation request into a successful client-credentials grant. The CPE confirms the impact applies to cpe:2.3:a:redhat:build_of_keycloak (Red Hat's hardened distribution of upstream Keycloak).

RemediationAI

Patch available per vendor advisory: apply the updates shipped in RHSA-2026:25097 (https://access.redhat.com/errata/RHSA-2026:25097) and RHSA-2026:25098 (https://access.redhat.com/errata/RHSA-2026:25098), which correspond to the patched Red Hat Build of Keycloak releases; exact fix version numbers should be confirmed against the linked errata for your specific Keycloak stream. Until patching is complete, compensating controls include disabling the token-exchange feature on clients that do not require it (this breaks any delegation flows that rely on subject_token swap), restricting which clients are permitted to perform token exchange via the fine-grained admin permission model, tightly scoping each client's service-account roles to the minimum necessary so a fallback to client credentials does not yield administrative permissions, and adding a reverse-proxy or WAF rule that rejects token-endpoint requests whose subject_token parameter exceeds ~4000 characters (trade-off: legitimate large JWTs with many claims may be blocked). Monitor Keycloak audit logs for token-exchange requests that result in client-credentials grants from accounts that previously used a subject_token.

CVE-2024-8883 MEDIUM POC
6.1 Sep 19

A misconfiguration flaw was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploita

CVE-2026-3047 HIGH
8.8 Mar 05

Keycloak's SAML identity provider broker fails to enforce client disabled status during IdP-initiated SSO flows, allowin

CVE-2026-3009 HIGH
8.1 Mar 05

Keycloak's IdentityBrokerService.performLogin endpoint fails to enforce disabled Identity Provider restrictions, allowin

CVE-2024-1132 HIGH
8.1 Apr 17

A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. Rated high severity (CVSS

CVE-2024-7885 HIGH
7.5 Aug 21

A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across

CVE-2024-10234 HIGH
7.3 Oct 22

A vulnerability was found in Wildfly, where a user may perform Cross-site scripting in the Wildfly deployment system. Ra

CVE-2026-37980 MEDIUM
6.9 Apr 14

Stored XSS in Keycloak's organization selection login page allows authenticated administrators with manage-realm or mana

CVE-2026-9802 MEDIUM
6.8 May 28

Refresh token replay in Keycloak allows a remote attacker who has previously captured a user's refresh token to reuse th

CVE-2025-7784 MEDIUM
6.5 Jul 18

Privilege escalation in Keycloak's Fine-Grained Admin Permissions v2 (FGAPv2) allows administrative users with the manag

CVE-2024-4629 MEDIUM
6.5 Sep 03

A vulnerability was found in Keycloak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no

CVE-2024-7260 MEDIUM
6.1 Sep 09

An open redirect vulnerability was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely e

CVE-2025-3910 MEDIUM
5.4 Apr 29

A flaw was found in Keycloak. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentic

Vendor StatusVendor

Share

CVE-2026-9704 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy