PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-11800 Red Hat CVE debrief

A flaw was found in Keycloak, a popular open-source identity and access management solution. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to impersonate any federated user linked to the affected Identity Provider, leading to unauthorized access and potential privilege escalation. The vulnerability has a CVSS score of 8.1 and is considered high severity. Red Hat has released advisories and patches to address this issue.

Vendor
Red Hat
Product
Red Hat build of Keycloak 26.6
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-25
Original CVE updated
2026-07-01
Advisory published
2026-06-25
Advisory updated
2026-07-01

Who should care

Organizations using Keycloak for identity and access management should prioritize patching this vulnerability. Attackers can exploit this flaw to gain unauthorized access to sensitive systems and data, potentially leading to privilege escalation. Federated users linked to the affected Identity Provider are at risk of being impersonated.

Technical summary

The vulnerability exists in the JWT Authorization Grant flow of Keycloak. An attacker with valid client credentials can bypass signature verification by forging an assertion, creating unauthorized access tokens. This allows impersonation of federated users linked to the affected Identity Provider. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. The weakness is classified as CWE-347.

Defensive priority

Patching is the primary recommended action. Organizations should apply the patches provided by Red Hat as soon as possible. In the absence of a patch, defenders should monitor for suspicious activity and implement compensating controls to limit the impact of potential exploitation.

Recommended defensive actions

  • Apply patches provided by Red Hat (RHSA-2026:30083, RHSA-2026:30084) to address the vulnerability.
  • Monitor for suspicious activity related to Keycloak and JWT authentication.
  • Implement compensating controls to limit the impact of potential exploitation.
  • Review and update Keycloak configurations to ensure secure settings.
  • Conduct thorough inventory checks to identify affected systems.

Evidence notes

The CVE record and NVD detail provide official information about the vulnerability. Red Hat has released multiple advisories (RHSA-2026:30083, RHSA-2026:30084) and a security page for CVE-2026-11800. A bugzilla entry (2487006) is also available. The CSAF VEX document provides additional vendor information.

Official resources

This article is AI-assisted and based on the supplied source corpus.