PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-9793 Red Hat CVE debrief

A vulnerability in Keycloak allows remote attackers to bypass signature verification in OpenID Connect (OIDC) authorization flows when JSON Web Encryption (JWE) encrypted request objects are used. The flaw occurs when decrypted content is raw JSON rather than a signed JWT, causing Keycloak to incorrectly process unsigned claims without enforcing configured signature policies. This violates OIDC Core and FAPI signing requirements, enabling unauthorized claim submission and data integrity compromise. A redirect URI allowlist provides partial mitigation but does not address the underlying signature bypass. The vulnerability is classified as CWE-347 (Improper Verification of Cryptographic Signature).

Vendor
Red Hat
Product
Red Hat Build of Keycloak
CVSS
MEDIUM 5.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-28
Original CVE updated
2026-05-28
Advisory published
2026-05-28
Advisory updated
2026-05-28

Who should care

Organizations using Keycloak for OIDC identity provider services, particularly those implementing FAPI or high-assurance authentication flows. Security teams responsible for OAuth 2.0/OIDC infrastructure integrity and compliance auditors verifying FAPI adherence.

Technical summary

The vulnerability exists in Keycloak's processing of JWE-encrypted OIDC request objects. When a request object is encrypted using JWE and the decrypted payload is raw JSON (not a nested signed JWT), Keycloak fails to enforce signature verification policies on the claims. This allows attackers to craft encrypted request objects containing arbitrary unsigned claims that Keycloak processes as valid. The attack requires network access (AV:N) and is rated high complexity (AC:H) due to encryption requirements, but needs no privileges or user interaction. Impact is limited to integrity compromise (I:H) with no confidentiality or availability effects. The flaw specifically violates FAPI and OIDC Core requirements for cryptographic signature verification on request objects.

Defensive priority

medium

Recommended defensive actions

  • Review Keycloak OIDC client configurations for JWE request object handling and enforce strict signature verification policies
  • Validate that all encrypted request objects contain properly signed JWT payloads rather than raw JSON
  • Audit redirect URI allowlists to ensure compensating controls are properly configured
  • Monitor for anomalous authorization requests containing JWE-encrypted request objects with modified claims
  • Apply vendor patches when available from Red Hat or Keycloak upstream
  • Review FAPI compliance requirements and ensure cryptographic signature verification is enforced per OIDC Core specifications

Evidence notes

CVE published 2026-05-28T05:16:40.697Z; modified 2026-05-28T13:44:54.327Z. NVD status: Undergoing Analysis. CVSS 3.1 vector: AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N. Weakness: CWE-347. Vendor attribution based on Red Hat security references; confidence low, requires review.

Official resources

2026-05-28