PT-2026-55772 · Red Hat · Red Hat Build Of Keycloak+3
Publicado
2026-07-05
·
Atualizado
2026-07-05
·
CVE-2026-14781
CVSS v3.1
4.8
Média
| Vetor | AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |
A flaw exists in the org.keycloak.broker.oidc package where the OIDC broker incorrectly synchronizes the email verified claim. When an OIDC identity provider is configured with trustEmail=true and the userinfo endpoint is enabled, Keycloak retrieves the email address from the userinfo response but retrieves the email verified status exclusively from the id token.
The root cause is a lack of validation ensuring that the email verified claim in the id token actually refers to the email address returned by the userinfo endpoint. If these two sources return different email addresses, the id token's email verified=true claim is blindly applied to the userinfo email.
Exploitation Conditions:
The OIDC identity provider must have trustEmail set to true (non-default).
The userinfo endpoint must be enabled (default).
The attacker must control or have compromised the upstream OIDC provider.
Concrete Impact:
Mark arbitrary email addresses as verified in the Keycloak database.
Bypass email-based security controls or verification workflows.
Potential account takeover if the application relies solely on the email verified flag from the IdP to link accounts.
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Red Hat Build Of Keycloak
Red Hat Data Grid 8
Red Hat Jboss Enterprise Application Platform Expansion Pack
Red Hat Single Sign-On 7