PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8830 Red Hat CVE debrief

CVE-2026-8830 describes a weakness in Keycloak's credential registration flow where an authenticated user may bypass configured WebAuthn policy enforcement by manipulating client-side JavaScript. The supplied NVD metadata says the server-side processAction() path does not validate that the newly created credential matches the realm's WebAuthn policy parameters, which can result in credentials that do not meet administrative security requirements. The issue was published on 2026-05-19 and carries a CVSS 3.1 score of 4.3 (medium).

Vendor
Red Hat
Product
Red Hat Build of Keycloak
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-19
Original CVE updated
2026-05-19
Advisory published
2026-05-19
Advisory updated
2026-05-19

Who should care

Keycloak administrators, IAM/security teams, and application owners that rely on WebAuthn policy enforcement for passwordless or second-factor registration should review this issue. It is especially relevant where realm policy settings are expected to constrain registration-time credential properties.

Technical summary

The supplied description and NVD metadata indicate that an authenticated attacker can interfere with the client-side registration flow and cause Keycloak to accept a credential that does not conform to the realm's WebAuthn policy. The core problem is server-side validation: processAction() fails to verify that the newly created credential's parameters, including public key algorithms, align with the configured policy. NVD lists the vector as AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N and the weakness as CWE-603.

Defensive priority

Medium priority. The impact is limited to integrity of authentication policy enforcement rather than direct confidentiality or availability loss, but it can weaken assurance that newly registered WebAuthn credentials satisfy administrative requirements. Treat it as higher priority in environments that depend on strict authenticator policy controls.

Recommended defensive actions

  • Review the Red Hat security advisory and associated Bugzilla issue referenced in the NVD record, then apply the vendor fix or update once available.
  • Validate that WebAuthn registration is enforced server-side after remediation; do not rely on client-side controls for policy compliance.
  • Audit existing WebAuthn credentials created during the exposure window and confirm they satisfy realm policy requirements.
  • Restrict who can register credentials where feasible and monitor registration events for unexpected parameter combinations or policy deviations.
  • Track the CVE record and vendor advisory for any updated impact, affected versions, or remediation guidance.

Evidence notes

This debrief is based only on the supplied CVE description and NVD metadata. The NVD record shows CVE-2026-8830 as 'Awaiting Analysis', includes Red Hat security and Bugzilla references, provides CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, and identifies CWE-603. The supplied corpus names Keycloak in the CVE description, but it does not include affected-version details or a confirmed product CPE list.

Official resources

Publicly disclosed on 2026-05-19, with the supplied source record published and modified the same day. No CISA KEV entry is present in the supplied data.