CVE-2026-9793

Vulnerability

A flaw exists in Keycloak's handling of JSON Web Encryption (JWE) encrypted request objects. When a JWE-encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy [1][2]. This violates the signing requirements of OpenID Connect (OIDC) Core and Financial-grade API (FAPI) specifications. The affected versions are not explicitly listed in the available references, but the vulnerability resides in the JWE decryption and claim validation logic.

Exploitation

An attacker with network access to a Keycloak instance can craft a JWE-encrypted request object containing a raw JSON payload without a valid signature. By submitting this request to the authorization endpoint, the attacker can cause Keycloak to accept unsigned claims, bypassing the intended signature verification [1][2]. No authentication or prior access is required; the attack is performed remotely.

Impact

Successful exploitation allows the attacker to inject unauthorized claims into the OIDC authorization flow, compromising data integrity [1][2]. This can lead to misrepresentation of user attributes or authorization decisions. The redirect URI allowlist provides a compensating control but does not prevent the underlying signature bypass, meaning the integrity violation still occurs within the allowed redirect scope.

Mitigation

As of the publication date, no fix version has been disclosed in the available references [1][2]. Administrators should monitor Red Hat security advisories for updates. The redirect URI allowlist offers partial mitigation by limiting the impact of unauthorized claims, but it does not address the signature bypass itself. Until a patch is released, organizations should review their Keycloak configurations and consider additional network-level controls.