Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 52 maven packages depend on org.keycloak:keycloak-services (20 direct, 32 indirect)
Ecosystem-wide dependent count for version 26.6.4.
DescriptionCVE.org
A flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This allows a remote attacker to submit unauthorized claims, leading to a compromise of data integrity within the OpenID Connect (OIDC) authorization flow. While a redirect URI allowlist acts as a compensating control, this vulnerability violates OIDC Core and Financial-grade API (FAPI) signing requirements.
AnalysisAI
Signature policy bypass in Red Hat Build of Keycloak's JWE request object handling allows unauthenticated remote attackers to inject unauthorized claims into the OpenID Connect authorization flow. When a JWE-encrypted request object is submitted and its decrypted content is raw JSON, Keycloak improperly skips signature verification, violating both OIDC Core and Financial-grade API (FAPI) signing requirements. No public exploit code exists at time of analysis, but the integrity-only impact (CVSS I:H) is directly relevant to authorization trust boundaries, making this high-priority for FAPI-compliant or financial-sector Keycloak deployments.
Technical ContextAI
Keycloak implements OpenID Connect (OIDC), which supports request objects - signed and/or encrypted JWTs that carry authorization parameters. JSON Web Encryption (JWE) wraps a payload that, per OIDC Core spec, should be a signed JWT (JWS). The flaw, classified as CWE-347 (Improper Verification of Cryptographic Signature), occurs when the decrypted JWE payload is raw JSON rather than a signed JWS: Keycloak processes the claims directly without enforcing the configured signature policy. This breaks the assumption that request objects are authenticity-protected, undermining the FAPI security profile which mandates signed request objects to prevent claim tampering. The affected product per CPE is cpe:2.3:a:red_hat:red_hat_build_of_keycloak:*:*:*:*:*:*:*:*, with the wildcard version range indicating the full product line is implicated pending narrower vendor scoping.
RemediationAI
No vendor-released patch with an exact fix version has been confirmed at time of analysis - the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-9793 and Bugzilla entry https://bugzilla.redhat.com/show_bug.cgi?id=2482460 should be monitored for patch release and specific remediated version numbers. As an immediate compensating control, enforce a strict redirect URI allowlist in all Keycloak realms, which the description explicitly identifies as a partial mitigating control - this limits the practical impact of unauthorized claim injection by restricting where authorization responses can be sent. Additionally, if the deployment does not require JWE-encrypted request objects, consider disabling support for encrypted request objects in realm settings to eliminate the attack surface entirely; note this may break integrations with clients using JWE request objects. For FAPI-profile deployments, treat this as a compliance violation requiring prompt vendor patch application and consider temporarily restricting which clients are permitted to submit request objects.
More in Jwt Attack
View allWhy is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update
Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke
Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS
The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT
A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti
A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27
A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work
The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t
cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote
Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)
Same technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32707
GHSA-p3v8-fm5p-v84h