PatchSiren cyber security CVE debrief
CVE-2026-11800 Red Hat CVE debrief
A flaw was found in Keycloak, a popular open-source identity and access management solution. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to impersonate any federated user linked to the affected Identity Provider, leading to unauthorized access and potential privilege escalation. The vulnerability has a CVSS score of 8.1 and is considered high severity. Red Hat has released advisories and patches to address this issue.
- Vendor
- Red Hat
- Product
- Red Hat build of Keycloak 26.6
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-25
- Original CVE updated
- 2026-07-01
- Advisory published
- 2026-06-25
- Advisory updated
- 2026-07-01
Who should care
Organizations using Keycloak for identity and access management should prioritize patching this vulnerability. Attackers can exploit this flaw to gain unauthorized access to sensitive systems and data, potentially leading to privilege escalation. Federated users linked to the affected Identity Provider are at risk of being impersonated.
Technical summary
The vulnerability exists in the JWT Authorization Grant flow of Keycloak. An attacker with valid client credentials can bypass signature verification by forging an assertion, creating unauthorized access tokens. This allows impersonation of federated users linked to the affected Identity Provider. The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. The weakness is classified as CWE-347.
Defensive priority
Patching is the primary recommended action. Organizations should apply the patches provided by Red Hat as soon as possible. In the absence of a patch, defenders should monitor for suspicious activity and implement compensating controls to limit the impact of potential exploitation.
Recommended defensive actions
- Apply patches provided by Red Hat (RHSA-2026:30083, RHSA-2026:30084) to address the vulnerability.
- Monitor for suspicious activity related to Keycloak and JWT authentication.
- Implement compensating controls to limit the impact of potential exploitation.
- Review and update Keycloak configurations to ensure secure settings.
- Conduct thorough inventory checks to identify affected systems.
Evidence notes
The CVE record and NVD detail provide official information about the vulnerability. Red Hat has released multiple advisories (RHSA-2026:30083, RHSA-2026:30084) and a security page for CVE-2026-11800. A bugzilla entry (2487006) is also available. The CSAF VEX document provides additional vendor information.
Official resources
-
CVE-2026-11800 CVE record
CVE.org
-
CVE-2026-11800 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c - Vendor Advisory
This article is AI-assisted and based on the supplied source corpus.