CVE-2026-9704— Keycloak: keycloak: privilege escalation due to oversized subject_token jwt

CVSS 6.8 · Medium EPSS 0.04% · P13 Updated May 28, 2026

Possible ATT&CK Techniques 1AI

Affected Version Matrix 1

Vendor	Product	Version Range	Status
Red Hat	Red Hat Build of Keycloak	`any`	affected

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-9704

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

Keycloak: keycloak: privilege escalation due to oversized subject_token jwt

Source: NVD (National Vulnerability Database)

Vulnerability Description

A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to fall back to client credentials. This allows the user to gain the permissions of the client's service account, leading to privilege escalation.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

CWE-1284

Source: NVD (National Vulnerability Database)

Vulnerability Title

Keycloak 安全漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

Keycloak是Keycloak开源的一种开源身份和访问管理解决方案。 Keycloak存在安全漏洞，该漏洞源于经过身份验证的低权限用户可通过向TokenEndpoint发送过大的subject_token JWT令牌，当令牌超过4000字符限制时被静默丢弃，系统回退到客户端凭据，导致用户获得客户端服务账户的权限，实现权限提升。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
Red Hat	Red Hat Build of Keycloak	-	`cpe:/a:redhat:build_keycloak:`

II. Public POCs for CVE-2026-9704

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-9704

请登录查看更多情报信息。

Vendor Advisories for CVE-2026-9704 (1)

🔗 2481877 – (CVE-2026-9704) CVE-2026-9704 keycloak: Keycloak: Privilege escalation due to oversized subject_token JWT Read full article issue-trackingx_refsource_REDHAT

Other References for CVE-2026-9704 (1)

https://access.redhat.com/security/cve/CVE-2026-9704vdb-entryx_refsource_REDHAT

https://nvd.nist.gov/vuln/detail/CVE-2026-9704

Same Patch Batch · Red Hat · 2026-05-27 · 5 CVEs total

CVE-2026-3012	8.0 HIGH	Samba: group policy certificate enrollment uses http:// without validation
CVE-2026-1933	7.1 HIGH	Samba: missing access check on reparse point operations
CVE-2026-2340	6.5 MEDIUM	Samba: vfs_worm does not block directory modification
CVE-2026-9689	4.2 MEDIUM	Keycloak: org.keycloak.protocol.oidc: http parameter pollution in oidc redirect uri allows

IV. Related Vulnerabilities

Same product: Red Hat Build of Keycloak

Same vendor: Red Hat

Same weakness: CWE-1284

V. Comments for CVE-2026-9704

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-9704— Keycloak: keycloak: privilege escalation due to oversized subject_token jwt

Possible ATT&CK Techniques 1AI

Affected Version Matrix 1

I. Basic Information for CVE-2026-9704

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-9704

III. Intelligence Information for CVE-2026-9704

Vendor Advisories for CVE-2026-9704 (1)

Other References for CVE-2026-9704 (1)

Same Patch Batch · Red Hat · 2026-05-27 · 5 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-9704

Leave a comment