PT-2026-44184 · Red Hat · Keycloak

Osidb Bzimport

·

Published

2026-05-28

·

Updated

2026-06-03

·

CVE-2026-9793

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)
Description A flaw exists where Keycloak may incorrectly process unsigned claims when a JSON Web Encryption (JWE) encrypted request object is submitted, provided the decrypted content is raw JSON. This behavior bypasses the configured signature policy, allowing a remote attacker to submit unauthorized claims and compromising data integrity within the OpenID Connect (OIDC) authorization flow. This issue violates OIDC Core and Financial-grade API (FAPI) signing requirements, although a redirect URI allowlist serves as a compensating control.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Improper Verification of Cryptographic Signature

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-9793
GHSA-P3V8-FM5P-V84H

Affected Products

Keycloak