VYPR
patchPublished Jul 17, 2026· Updated Jul 19, 2026· 1 source

Keycloak Services: Nine Moderate Vulnerabilities Disclosed in Authorization and Session Management

Key findings • Nine moderate-severity vulnerabilities disclosed in Keycloak services between July 14-17, 2026. • Flaws impact authorization, session management, JWT/OIDC handling, and informa…

Key findings

  • Nine moderate-severity vulnerabilities disclosed in Keycloak services between July 14-17, 2026.
  • Flaws impact authorization, session management, JWT/OIDC handling, and information exposure.
  • CVE-2026-16089 allows authorization code retargeting, potentially leading to session hijacking.
  • CVE-2026-16093 bypasses signed-JWT assertion policies, weakening authentication.
  • CVE-2026-16108 and CVE-2026-15945 disclose hidden groups via group search functionalities.
  • Patches are available in Keycloak version 25.0.0.

On July 17, 2026, a batch of nine moderate-severity vulnerabilities affecting Keycloak services was disclosed, spanning a disclosure window from July 14 to July 17. These vulnerabilities, primarily impacting authorization, session management, and administrative functions, highlight potential weaknesses in how Keycloak handles sensitive information and access controls. The disclosures collectively underscore the importance of diligent security patching and configuration management for organizations relying on Keycloak for identity and access management.

Several vulnerabilities center on authorization code and session management. CVE-2026-16089 allows authorization codes to be retargeted to different client sessions, potentially enabling session hijacking or unauthorized access. Another authorization-related flaw, CVE-2026-16106, permits delegated administrators to remove privileged child roles when deleting admin role composites, undermining role-based access control.

Security concerns also extend to JWT and OIDC handling. CVE-2026-16093 reveals that a required signed-JWT assertion policy can be bypassed using unsigned assertion headers, weakening authentication mechanisms. Furthermore, CVE-2026-15943 indicates that an OIDC IdP update can reuse a masked client secret after a token URL change, potentially exposing credentials.

The disclosures also touch upon information exposure and configuration weaknesses. CVE-2026-16072 describes how an organization invitation link exposure can lead to unauthorized member creation. CVE-2026-16104 points out that the authenticator configuration endpoint exposes raw reCAPTCHA secrets to view-only administrators, a significant security oversight. Additionally, two related vulnerabilities, CVE-2026-16108 and CVE-2026-15945, detail how realm default group reads and group hierarchy searches can disclose hidden groups under FGAP v2, respectively.

Finally, CVE-2026-16103 addresses an incomplete fix for a CIBA brute-force lockout bypass at the token redemption stage, indicating a persistent vulnerability in the authentication flow.

These vulnerabilities were disclosed in close succession, emphasizing the need for prompt attention from Keycloak administrators. While the provided information does not detail specific exploitation in the wild or name threat actors, the nature of these flaws suggests potential impacts ranging from unauthorized access and privilege escalation to information disclosure and denial of service. Organizations using Keycloak should review the specific CVE details and apply available patches to mitigate these risks.

The batch of vulnerabilities was disclosed between July 14 and July 17, 2026. All nine CVEs appear to be addressed in Keycloak version 25.0.0. Users are advised to update to this version or later to ensure their systems are protected against these newly disclosed security weaknesses. Regular security audits and adherence to best practices for identity and access management remain crucial for maintaining a secure environment.

Synthesized by Vypr AI