CVE-2026-9087

Vulnerability

The vulnerability exists in Keycloak's first-broker-login authentication flow. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the actual upstream identity that was verified. This allows a second upstream account on the same IdP to consume the proof and get linked to the victim's local account. Affected versions are not explicitly listed in the references, but the issue is present in Keycloak before the fix [1][2].

Exploitation

An attacker with the ability to register or control a second upstream account on the same identity provider (IdP) can exploit this flaw. The attacker initiates the first-broker-login flow using their own upstream account, but at the cross-session verification step, they can intercept or replay the proof. Since the proof is not bound to the specific upstream identity, the attacker can consume it to link their different upstream account to the victim's local account. No privileged network position is required beyond standard web access [1][2].

Impact

Successful exploitation allows an attacker to link a different upstream account on the same IdP to the victim's local Keycloak account. This leads to unauthorized account takeover or identity confusion, as the attacker can then authenticate as the victim using their own upstream credentials. The impact includes potential information disclosure, privilege escalation, and account compromise [1][2].

Mitigation

Red Hat has acknowledged the vulnerability but a fix has not been released as of the publication date (2026-05-20). Administrators should monitor Red Hat's security advisory for updates. No workaround is documented. The vulnerability is not listed in CISA's KEV as of the publication date [1][2].