Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-14781— Keycloak-services: keycloak-services: oidc email_verified claim incorrectly applied to userinfo email

CVSS 4.8 · Medium
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-14781

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Keycloak-services: keycloak-services: oidc email_verified claim incorrectly applied to userinfo email
Source: NVD (National Vulnerability Database)
Vulnerability Description
A flaw exists in the org.keycloak.broker.oidc package where the OIDC broker incorrectly synchronizes the email_verified claim. When an OIDC identity provider is configured with trustEmail=true and the userinfo endpoint is enabled, Keycloak retrieves the email address from the userinfo response but retrieves the email_verified status exclusively from the id_token. The root cause is a lack of validation ensuring that the email_verified claim in the id_token actually refers to the email address returned by the userinfo endpoint. If these two sources return different email addresses, the id_token's email_verified=true claim is blindly applied to the userinfo email. Exploitation Conditions: The OIDC identity provider must have trustEmail set to true (non-default). The userinfo endpoint must be enabled (default). The attacker must control or have compromised the upstream OIDC provider. Concrete Impact: Mark arbitrary email addresses as verified in the Keycloak database. Bypass email-based security controls or verification workflows. Potential account takeover if the application relies solely on the email_verified flag from the IdP to link accounts.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-1288
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
Red HatRed Hat Build of Keycloak-cpe:/a:redhat:build_keycloak:
Red HatRed Hat Build of Keycloak-cpe:/a:redhat:build_keycloak:
Red HatRed Hat Build of Keycloak-cpe:/a:redhat:build_keycloak:
Red HatRed Hat Data Grid 8-cpe:/a:redhat:jboss_data_grid:8
Red HatRed Hat JBoss Enterprise Application Platform Expansion Pack-cpe:/a:redhat:jbosseapxp
Red HatRed Hat Single Sign-On 7-cpe:/a:redhat:red_hat_single_sign_on:7

II. Public POCs for CVE-2026-14781

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-14781

登录查看更多情报信息。

Vendor Advisories for CVE-2026-14781 (1)

Other References for CVE-2026-14781 (1)

IV. Related Vulnerabilities

V. Comments for CVE-2026-14781

No comments yet


Leave a comment