VYPR
← All advisories
Medium severity6.8NVD Advisory· Published May 27, 2026· Updated May 27, 2026

CVE-2026-9704

CVE-2026-9704

Description

A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to fall back to client credentials. This allows the user to gain the permissions of the client's service account, leading to privilege escalation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated low-privilege user can escalate to client service account by sending oversized JWT to Keycloak's TokenEndpoint.

Vulnerability

A flaw exists in Keycloak's TokenEndpoint where an oversized subject_token JWT (exceeding 4000 characters) is silently dropped, causing the server to fall back to client credentials authentication [1][2]. This allows an attacker with low-privilege authentication to bypass intended token validation and impersonate the client's service account. Affected versions include Keycloak deployments prior to a fix (details not yet disclosed).

Exploitation

An attacker must have an authenticated session with low privileges. They send a crafted subject_token JWT larger than 4000 characters to the TokenEndpoint. The server discards the oversized token and proceeds with client credentials flow, effectively promoting the attacker to the client's service account privileges [2].

Impact

Successful exploitation leads to privilege escalation: the attacker gains the permissions of the client's service account, potentially allowing unauthorized access to resources, data disclosure, or administrative actions depending on the client's role.

Mitigation

Red Hat has acknowledged the issue and is working on a fix [1]. Users should monitor for security updates and apply the patch as soon as it becomes available. No workaround has been provided; ensure timely upgrades.

References
  1. cve-details
  2. Privilege escalation due to oversized subject_token JWT

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

2

News mentions

0

No linked articles in our index yet.