Skip to main content

Red Hat Keycloak EUVDEUVD-2026-32707

| CVE-2026-9793 MEDIUM
Improper Verification of Cryptographic Signature (CWE-347)
2026-05-28 redhat GHSA-p3v8-fm5p-v84h
5.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Red Hat
5.9 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 28, 2026 - 05:03 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 52 maven packages depend on org.keycloak:keycloak-services (20 direct, 32 indirect)

Ecosystem-wide dependent count for version 26.6.4.

DescriptionCVE.org

A flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This allows a remote attacker to submit unauthorized claims, leading to a compromise of data integrity within the OpenID Connect (OIDC) authorization flow. While a redirect URI allowlist acts as a compensating control, this vulnerability violates OIDC Core and Financial-grade API (FAPI) signing requirements.

AnalysisAI

Signature policy bypass in Red Hat Build of Keycloak's JWE request object handling allows unauthenticated remote attackers to inject unauthorized claims into the OpenID Connect authorization flow. When a JWE-encrypted request object is submitted and its decrypted content is raw JSON, Keycloak improperly skips signature verification, violating both OIDC Core and Financial-grade API (FAPI) signing requirements. No public exploit code exists at time of analysis, but the integrity-only impact (CVSS I:H) is directly relevant to authorization trust boundaries, making this high-priority for FAPI-compliant or financial-sector Keycloak deployments.

Technical ContextAI

Keycloak implements OpenID Connect (OIDC), which supports request objects - signed and/or encrypted JWTs that carry authorization parameters. JSON Web Encryption (JWE) wraps a payload that, per OIDC Core spec, should be a signed JWT (JWS). The flaw, classified as CWE-347 (Improper Verification of Cryptographic Signature), occurs when the decrypted JWE payload is raw JSON rather than a signed JWS: Keycloak processes the claims directly without enforcing the configured signature policy. This breaks the assumption that request objects are authenticity-protected, undermining the FAPI security profile which mandates signed request objects to prevent claim tampering. The affected product per CPE is cpe:2.3:a:red_hat:red_hat_build_of_keycloak:*:*:*:*:*:*:*:*, with the wildcard version range indicating the full product line is implicated pending narrower vendor scoping.

RemediationAI

No vendor-released patch with an exact fix version has been confirmed at time of analysis - the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-9793 and Bugzilla entry https://bugzilla.redhat.com/show_bug.cgi?id=2482460 should be monitored for patch release and specific remediated version numbers. As an immediate compensating control, enforce a strict redirect URI allowlist in all Keycloak realms, which the description explicitly identifies as a partial mitigating control - this limits the practical impact of unauthorized claim injection by restricting where authorization responses can be sent. Additionally, if the deployment does not require JWE-encrypted request objects, consider disabling support for encrypted request objects in realm settings to eliminate the attack surface entirely; note this may break integrations with clients using JWE request objects. For FAPI-profile deployments, treat this as a compliance violation requiring prompt vendor patch application and consider temporarily restricting which clients are permitted to submit request objects.

CVE-2013-3900 MEDIUM
5.5 Dec 11

Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update

CVE-2026-48558 CRITICAL POC
9.5 Jun 12

Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke

CVE-2025-59718 CRITICAL
9.8 Dec 09

Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to

CVE-2025-25291 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2025-25292 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2022-25898 CRITICAL POC
9.8 Jul 01

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT

CVE-2024-42004 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti

CVE-2024-41145 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27

CVE-2024-41138 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-35929 CRITICAL POC
9.8 Aug 04

cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote

CVE-2022-31053 CRITICAL POC
9.8 Jun 13

Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)

Vendor StatusVendor

Share

EUVD-2026-32707 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy