CVE-2026-1529

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description A flaw exists in Keycloak’s invitation token registration mechanism. The server does not verify the cryptographic signature of the JSON Web Token (JWT). An attacker can modify the organization ID (org id) and target email within a legitimate invitation token’s JWT payload to register an account in an unauthorized organization. This can lead to unauthorized access, bypassing invite-only onboarding, access to resources through Single Sign-On (SSO), and potential privilege escalation through Role-Based Access Control (RBAC).

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.