PT-2026-42199 · Red Hat · Red Hat Build Of Keycloak
Published
2026-05-20
·
Updated
2026-05-20
·
CVE-2026-9087
CVSS v3.1
6.4
Medium
| Vector | AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId,
idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account.
Fix
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Red Hat Build Of Keycloak