Description
A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId,
idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account.
Published: 2026-05-20
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in Keycloak allows a malicious actor to consume a cross‑session verification proof that is only keyed by a local userId and IdP alias, enabling the attacker to link a second upstream account from the same Identity Provider to the victim’s local account. This effectively permits account takeover or unauthorized account linkage. The weakness is an improper access control flaw identified as CWE-639, where the verification proof is not bound to the verified upstream identity.

Affected Systems

Red Hat Build of Keycloak is affected. Specific product versions are not listed in the supplied data, so the exact scope of vulnerable releases cannot be determined from this report.

Risk and Exploitability

The flaw carries a CVSS score of 6.4, indicating a medium impact. The EPSS score is not available, and it is not listed in CISA’s KEV catalog, suggesting that widespread public exploitation has not been observed. The likely attack vector is an attacker controlling a second account on the same IdP who can replay the verification proof; the vulnerability can be exercised once the attacker has a valid cross‑session proof, which is typical during normal authentication flows. Given the lack of evidence of active exploitation, the risk is moderate but warrants timely remediation to prevent potential account hijacking.

Generated by OpenCVE AI on May 20, 2026 at 17:21 UTC.

Remediation

Vendor Workaround

To mitigate this issue, configure the affected identity provider to set `trustEmail=true`. This ensures that Keycloak trusts the email address provided by the upstream identity provider, bypassing the vulnerable verification flow. This mitigation should only be applied if the upstream identity provider is fully trusted to verify email addresses and prevent malicious account creation with existing email addresses. Configuration changes may require a Keycloak service restart or reload to take effect.

OpenCVE Recommended Actions

  • Configure the identity provider to set trustEmail=true, ensuring Keycloak accepts the upstream provided email and bypasses the vulnerable verification flow.
  • Restart or reload the Keycloak service to apply the trustEmail configuration changes.
  • Apply any vendor‑published patch or update for Red Hat Build of Keycloak that resolves the cross‑session verification proof issue.
  • If a patch is not available, isolate the affected IdP or restrict account linking between IdPs to mitigate risk.

Generated by OpenCVE AI on May 20, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 21 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 20 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Vendors & Products Redhat build Of Keycloak

Wed, 20 May 2026 16:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account.
Title Keycloak: cross-session email verification proof not bound to upstream identity in first-broker-login
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-639
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-21T14:02:09.087Z

Reserved: 2026-05-20T14:53:18.352Z

Link: CVE-2026-9087

cve-icon Vulnrichment

Updated: 2026-05-21T14:02:00.887Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-20T17:16:32.207

Modified: 2026-05-20T17:32:35.827

Link: CVE-2026-9087

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-20T14:53:44Z

Links: CVE-2026-9087 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T17:30:35Z

Weaknesses