Gwthr

**Name of the Vulnerable Software and Affected Versions** Keycloak (affected versions not specified) **Description** A flaw exists in Keycloak’s invitation token registration mechanism. The server does not verify the cryptographic signature of the JSON Web Token (JWT). An attacker can modify the organization ID (`org id`) and target email within a legitimate invitation token’s JWT payload to register an account in an unauthorized organization. This can lead to unauthorized access, bypassing invite-only onboarding, access to resources through Single Sign-On (SSO), and potential privilege escalation through Role-Based Access Control (RBAC). **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.