PatchSiren cyber security CVE debrief

CVE-2026-9704 Red Hat CVE debrief

A privilege escalation vulnerability in Keycloak allows authenticated low-privilege users to gain elevated permissions by exploiting JWT size handling. When an oversized subject_token JWT exceeding 4000 characters is submitted to the TokenEndpoint, the token is silently dropped, causing the system to fall back to client credentials authentication. This fallback mechanism grants the attacker the permissions associated with the client's service account. The vulnerability stems from improper handling of input size limits (CWE-1284) without appropriate error handling or validation. The CVSS 3.1 vector indicates network attack vector, high attack complexity, low privileges required, no user interaction, unchanged scope, with high impact to confidentiality and integrity but no availability impact. The vulnerability was published to NVD on 2026-05-27 and is currently undergoing analysis. Red Hat has assigned bugzilla tracking for this issue.

Vendor: Red Hat
Product: Red Hat Build of Keycloak
CVSS: MEDIUM 6.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-05-27
Original CVE updated: 2026-05-27
Advisory published: 2026-05-27
Advisory updated: 2026-05-27

Who should care

Organizations running Keycloak identity and access management systems, particularly those relying on token exchange flows or subject_token parameters. Security teams should prioritize this for environments where service accounts possess elevated privileges or where client credentials are used for sensitive operations. Identity architects and DevSecOps engineers responsible for JWT validation and OAuth/OIDC flow implementations.

Technical summary

The vulnerability exists in Keycloak's TokenEndpoint when processing subject_token parameters. A size limit of approximately 4000 characters is enforced on JWT tokens, but when exceeded, the implementation silently drops the token rather than rejecting the request. This triggers a fallback to client credentials authentication, which authenticates the request as the client's service account rather than the original user. An attacker with valid low-privilege credentials can craft or obtain an oversized JWT (e.g., through token stuffing, nested claims, or artificially inflated payloads) to trigger this behavior and inherit service account permissions. The high attack complexity in CVSS scoring reflects the requirement for valid authentication and oversized token generation, not technical difficulty of exploitation.

Defensive priority

HIGH

Recommended defensive actions

Review Keycloak TokenEndpoint configuration for JWT size limit handling and implement proper validation with explicit error responses rather than silent fallback behavior
Audit service account permissions to ensure principle of least privilege, as these permissions may be exposed through this vulnerability
Monitor authentication logs for abnormally large JWT subject_token submissions that may indicate exploitation attempts
Apply security updates from Red Hat/Keycloak when available, tracking bugzilla.redhat.com/show_bug.cgi?id=2481877 for patch status
Consider implementing additional JWT size validation at network or application layer as compensating control pending vendor fix

Evidence notes

Vulnerability description sourced from NVD official record. CWE-1284 (Improper Validation of Specified Quantity in Input) identified as primary weakness. CVSS 3.1 vector: AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N. Vendor attribution to Red Hat/Keycloak based on reference domain evidence and bugzilla tracking.

Official resources

2026-05-27