Description
A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token (JWT) payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an unauthorized organization, leading to unauthorized access.
Published: 2026-02-09
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Organization Access
Action: Apply Patch
AI Analysis

Impact

The vulnerability allows an attacker to modify the organization identifier and the target email inside a legitimately issued invitation token. Because the Keycloak service does not verify the cryptographic signature, the altered token is accepted, enabling the attacker to self-register into an unauthorized organization. This results in user creation with potential access to organization resources, constituting a privilege escalation.

Affected Systems

Red Hat build of Keycloak, specifically the 26.2 EL9 build (including 26.2.13) and the 26.4 EL9 build (including 26.4.9). These versions were distributed under the Red Hat Product Security advisories RHSA-2026:2363 to RHSA-2026:2366. The flaw was identified in the org.keycloak.services.resources.organizations module.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity, but the EPSS score is below 1%, suggesting the probability of exploitation is currently low. The flaw is exploitable remotely by anyone who can obtain a valid invitation token, modify the JWT payload to specify a different organization ID and target email, and submit it to the invitation endpoint. As the token is not signed, no cryptographic check prevents this manipulation. Because the attacker does not need elevated privileges on the Keycloak server, the attack can be performed from outside the network, making it a significant risk for organizations that rely on invitation-based user onboarding.

Generated by OpenCVE AI on April 18, 2026 at 18:15 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Install the latest Red Hat security updates for Keycloak (RHSA-2026:2363 through RHSA-2026:2366 or any newer release that includes the fix).
  • Restrict or audit organization invitation usage; consider disabling invitations or enforcing stricter validation if the feature is not required.
  • No workaround is available; rely on the official patch.

Generated by OpenCVE AI on April 18, 2026 at 18:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hcvw-475w-8g7p Keycloak affected by improper invitation token validation
History

Tue, 10 Feb 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Vendors & Products Redhat build Of Keycloak

Tue, 10 Feb 2026 01:45:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak:26.4::el9
References

Tue, 10 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 09 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.2::el9
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token (JWT) payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an unauthorized organization, leading to unauthorized access.
Title Org.keycloak.services.resources.organizations: keycloak: unauthorized organization registration via improper invitation token validation
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-347
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-02-16T21:45:35.169Z

Reserved: 2026-01-28T12:22:02.063Z

Link: CVE-2026-1529

cve-icon Vulnrichment

Updated: 2026-02-09T20:51:11.825Z

cve-icon NVD

Status : Deferred

Published: 2026-02-09T20:15:55.883

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1529

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-09T18:21:00Z

Links: CVE-2026-1529 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T18:30:07Z

Weaknesses