Description
A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to impersonate any federated user linked to the affected Identity Provider, leading to unauthorized access and potential privilege escalation.
Published: 2026-06-25
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Keycloak contains a JWT algorithm confusion vulnerability that undermines signature verification when an attacker generates a forged JWT assertion. By exploiting this flaw, an entity in possession of valid client credentials can obtain unauthorized access tokens that reference any federated user linked to the affected identity provider. The resulting impersonation allows the attacker to access protected resources and potentially elevate privileges within the Keycloak realm.

Affected Systems

Red Hat Build of Keycloak, including the 26.6 and 26.6.4 releases, is impacted. Affected environments also include Red Hat Data Grid 8, the Red Hat JBoss Enterprise Application Platform Expansion Pack, and Red Hat Single Sign‑On 7. These components are distributed under the Red Hat Build of Keycloak package across several Red Hat platforms.

Risk and Exploitability

With a CVSS v3 score of 8.1, the vulnerability presents a high‑severity risk. Although no EPSS value is currently available, the likelihood of exploitation remains significant, especially for attackers who can compromise or acquire a client with valid credentials. The flaw is not yet listed in CISA KEV, but the potential for impersonation and privilege escalation makes it urgent to remediate. The attack path requires access to a client that can use the JWT Authorization Grant, but once the attacker obtains such credentials, the algorithm confusion allows the generation of undetectable, full access to any federated user.

Generated by OpenCVE AI on June 25, 2026 at 22:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply Red Hat updates RHSA-2026:30083 and RHSA-2026:30084 to patch the JWT algorithm confusion in Keycloak.
  • Upgrade all Keycloak installations to the latest available Red Hat build (at least version 26.6.4) and ensure that any identity provider connections use strong, non‑trivial JWT algorithms (such as RS256) with correct key validation.
  • Restrict issuance of client credentials and rotate them configurations to limit the JWT Authorization Grant flow to only those cases that truly require it.
  • As a temporary mitigation if updates cannot be applied immediately, disable or tightly restrict the JWT Authorization Grant flow for clients that are not essential, or enforce strict algorithm enforcement on the server side.

Generated by OpenCVE AI on June 25, 2026 at 22:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to impersonate any federated user linked to the affected Identity Provider, leading to unauthorized access and potential privilege escalation.
Title Org.keycloak:keycloak-services: keycloak: authentication bypass via jwt algorithm confusion
First Time appeared Redhat
Redhat build Keycloak
Redhat jboss Data Grid
Redhat jbosseapxp
Redhat red Hat Single Sign On
Weaknesses CWE-347
CPEs cpe:/a:redhat:build_keycloak:
cpe:/a:redhat:build_keycloak:26.6::el9
cpe:/a:redhat:jboss_data_grid:8
cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:red_hat_single_sign_on:7
Vendors & Products Redhat
Redhat build Keycloak
Redhat jboss Data Grid
Redhat jbosseapxp
Redhat red Hat Single Sign On
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Redhat Build Keycloak Jboss Data Grid Jbosseapxp Red Hat Single Sign On
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-06-25T20:57:05.276Z

Reserved: 2026-06-09T14:06:04.695Z

Link: CVE-2026-11800

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T22:30:15Z

Weaknesses
  • CWE-347

    Improper Verification of Cryptographic Signature