CVE-2026-8830

Vulnerability

In Keycloak, the server-side processAction() method fails to validate that the newly created WebAuthn credential's parameters—such as public key algorithms, user verification, or resident key configuration—match the realm's configured WebAuthn policies [1][2]. This allows an authenticated user to create a credential that does not adhere to the administrative security requirements. The affected versions are those that do not include the fix for this validation gap.

Exploitation

An attacker must be an authenticated user of the Keycloak realm and have the ability to modify client-side JavaScript during the WebAuthn registration process [1]. By altering the client-side code, the attacker can supply a credential that fails to meet the realm's policy constraints (e.g., using a weaker algorithm or bypassing resident key settings). The server does not subsequently verify the credential's parameters against the configured policies, enabling the bypass.

Impact

Successful exploitation allows the attacker to register a WebAuthn credential that does not comply with administrative security policies, potentially weakening the overall security posture of the system [2]. This could allow non-compliant authentication methods, undermining the intended security controls.

Mitigation

Not yet disclosed in the available references. Administrators should monitor for updates from Red Hat for Keycloak and apply the patch as soon as it becomes available [1]. No workaround is provided in the current advisories.