VYPR
advisoryPublished May 28, 2026· Updated Jun 3, 2026· 1 source

Keycloak: Twelve Vulnerabilities Disclosed, One High Severity

Key findings • Twelve vulnerabilities disclosed for Keycloak between May 27-28, 2026. • One high-severity vulnerability (CVE-2026-9796) allows privilege escalation via scope mapping. • Se…

Key findings

  • Twelve vulnerabilities disclosed for Keycloak between May 27-28, 2026.
  • One high-severity vulnerability (CVE-2026-9796) allows privilege escalation via scope mapping.
  • Several flaws impact administrative role management and client permissions.
  • Issues identified in token handling, session management, and protocol implementations.
  • Potential bypasses of brute-force protection and signature policies noted.
  • Users urged to consult advisories and apply updates promptly.

On May 27th and 28th, 2026, a significant cluster of twelve vulnerabilities affecting the Keycloak identity and access management solution was disclosed. These issues, spanning a range of severities from medium to high, touch upon critical areas such as client registration, token handling, administrative permissions, and protocol implementations. The disclosures highlight potential weaknesses in how Keycloak manages user sessions, client policies, and administrative roles, underscoring the need for prompt patching.

Several vulnerabilities center on authorization bypass and privilege escalation. CVE-2026-9796, a high-severity flaw, allows an administrator with limited client management permissions to assign any realm role to a client's scope mapping, effectively bypassing security controls and granting extensive privileges. Similarly, CVE-2026-9795 involves a Time-of-check to time-of-use (TOCTOU) vulnerability in admin role checks, enabling an authenticated administrator with manage-clients role to escalate privileges to realm-admin for all users within a realm.

Other disclosures address issues within specific protocols and components. CVE-2026-9803 points to an ArrayIndexOutOfBoundsException in the ClientRegistrationAuth component triggered by malformed Authorization: Bearer headers. CVE-2026-9794 describes how specially crafted SOAP requests to the SAML ECP endpoint can be used by unauthenticated attackers to infer information by observing distinct faultstrings. Furthermore, CVE-2026-9793 details how Keycloak might incorrectly process unsigned claims in JSON Web Encryption (JWE) encrypted requests if the decrypted content is raw JSON, potentially bypassing signature policies.

Several vulnerabilities impact session management and brute-force protection. CVE-2026-9802 allows a remote attacker to replay a revoked refresh token after a server restart if persistent session storage is enabled and revokeRefreshToken=true. CVE-2026-9798 describes a bypass of brute-force protection for temporarily locked accounts via the Client-Initiated Backchannel Authentication (CIBA) flow when an attacker possesses valid client credentials. CVE-2026-9704 involves an oversized subject_token JWT being silently dropped, causing a fallback to client credentials, which could be exploited by authenticated users with low privileges.

Additional issues include CVE-2026-9791, which could lead to the disclosure of organization metadata in tokens even after an organization is deleted. CVE-2026-9796, a high-severity flaw, allows administrators with limited client management permissions to assign any realm role to a client's scope mapping, bypassing security controls. CVE-2026-9791 concerns the disclosure of organization metadata in tokens. CVE-2026-9793 addresses potential bypasses of signature policies in JWE encrypted requests.

Other vulnerabilities include CVE-2026-9791, which could lead to the disclosure of organization metadata in tokens. CVE-2026-9794 describes how attackers can infer information via SAML ECP endpoint responses. CVE-2026-9793 details potential bypasses of signature policies in JWE encrypted requests. CVE-2026-9689 highlights a risk where broad redirect URIs can be manipulated by attackers to redirect users to malicious sites.

Details regarding specific patches and affected versions were not extensively detailed in the initial disclosures. However, given the breadth of the vulnerabilities, users of Keycloak are strongly advised to consult the official Keycloak security advisories and apply any available updates promptly. The coordinated disclosure of these twelve CVEs over a short period underscores the importance of maintaining vigilance and a robust security posture for identity and access management systems.

Synthesized by Vypr AI