VYPR
Medium severity6.4NVD Advisory· Published May 20, 2026· Updated Jun 10, 2026

CVE-2026-9087

CVE-2026-9087

Description

A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.keycloak:keycloak-servicesMaven
< 26.6.326.6.3

Affected products

4

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.