Skip to main content

Red Hat Build Of Keycloak 26 6

1 CVEs product

Monthly

CVE-2026-11800 HIGH PATCH This Week

Signature-verification bypass in Keycloak (and Red Hat's Keycloak-based products such as Red Hat Single Sign-On 7 and Red Hat Build of Keycloak 26.6/26.6.4) lets an attacker holding valid client credentials abuse a JWT algorithm-confusion weakness in the JWT Authorization Grant flow to forge client assertions and mint unauthorized access tokens. The forged tokens allow impersonation of any federated user tied to the affected Identity Provider, yielding unauthorized access and potential privilege escalation. There is no public exploit identified at time of analysis and the issue is not on CISA KEV; Red Hat rates it 8.1 (High).

Privilege Escalation Jwt Attack Authentication Bypass Red Hat Build Of Keycloak 26 6 Red Hat Build Of Keycloak 26 6 4 +4
NVD
CVSS 3.1
8.1
EPSS
0.2%
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Signature-verification bypass in Keycloak (and Red Hat's Keycloak-based products such as Red Hat Single Sign-On 7 and Red Hat Build of Keycloak 26.6/26.6.4) lets an attacker holding valid client credentials abuse a JWT algorithm-confusion weakness in the JWT Authorization Grant flow to forge client assertions and mint unauthorized access tokens. The forged tokens allow impersonation of any federated user tied to the affected Identity Provider, yielding unauthorized access and potential privilege escalation. There is no public exploit identified at time of analysis and the issue is not on CISA KEV; Red Hat rates it 8.1 (High).

Privilege Escalation Jwt Attack Authentication Bypass +6
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy