CVE-2026-9793— Keycloak: keycloak: security policy bypass in jwe-encrypted request object processing
Affected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Red Hat Build of Keycloak | any | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-9793
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Keycloak: keycloak: security policy bypass in jwe-encrypted request object processing
Source: NVD (National Vulnerability Database)
Vulnerability Description
A flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This allows a remote attacker to submit unauthorized claims, leading to a compromise of data integrity within the OpenID Connect (OIDC) authorization flow. While a redirect URI allowlist acts as a compensating control, this vulnerability violates OIDC Core and Financial-grade API (FAPI) signing requirements.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
密码学签名的验证不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Keycloak 数据伪造问题漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Keycloak是Keycloak开源的一种开源身份和访问管理解决方案。 Keycloak存在数据伪造问题漏洞,该漏洞源于当提交JSON Web加密加密请求对象时,如果解密内容是原始JSON,Keycloak可能错误处理未签名声明,绕过配置的签名策略,可能导致远程攻击者提交未经授权的声明,从而破坏OpenID Connect授权流程中的数据完整性。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Red Hat | Red Hat Build of Keycloak | - | cpe:/a:redhat:build_keycloak: |
II. Public POCs for CVE-2026-9793
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-9793
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-9793 (1)
Other References for CVE-2026-9793 (1)
Same Patch Batch · Red Hat · 2026-05-28 · 14 CVEs total
| CVE-2026-4408 | 9.0 CRITICAL | Samba: remote code execution in samr |
| CVE-2026-9804 | 7.7 HIGH | Kubevirt: kubevirt: vmexport directory symlink escape enables exporter pod file read |
| CVE-2026-9795 | 7.3 HIGH | Keycloak: keycloak: privilege escalation via improper scope mapping enforcement |
| CVE-2026-44604 | 7.0 HIGH | Rpm: command injection in rpmuncompress dountar() via unescaped archive top-level director |
| CVE-2026-9802 | 6.8 MEDIUM | Keycloak: keycloak: unauthorized account access via replayed refresh tokens after cluster |
| CVE-2026-9792 | 6.5 MEDIUM | Keycloak: keycloak: security restriction bypass allows unauthorized ropc token acquisition |
| CVE-2026-9796 | 6.5 MEDIUM | Keycloak: keycloak: privilege escalation via time-of-check to time-of-use (toctou) vulnera |
| CVE-2026-9794 | 5.3 MEDIUM | Keycloak: keycloak: information disclosure via saml ecp endpoint |
| CVE-2026-9803 | 5.3 MEDIUM | Keycloak: keycloak: denial of service via malformed authorization header |
| CVE-2026-9801 | 4.9 MEDIUM | Keycloak: keycloak: denial of service via malformed ldap password policy response |
| CVE-2026-9791 | 4.3 MEDIUM | Keycloak-rhel9: organization data leak after feature disabled in keycloak |
| CVE-2026-9798 | 4.3 MEDIUM | Keycloak: keycloak: brute-force protection bypass in ciba flow |
| CVE-2026-10028 | 4.3 MEDIUM | Glib-networking: infinite loop in glib-networking gnutls backend allows remote denial of s |
IV. Related Vulnerabilities
Same product: Red Hat Build of Keycloak
- CVE-2026-11986
Keycloak-rest-admin-ui-ext: authorization bypass vulnerabili - CVE-2026-11577
Keycloak: keycloak: privilege escalation via partialimport f - CVE-2026-9798
Keycloak: keycloak: brute-force protection bypass in ciba fl - CVE-2026-9796
Keycloak: keycloak: privilege escalation via time-of-check t - CVE-2026-9795
Keycloak: keycloak: privilege escalation via improper scope
Same vendor: Red Hat
- CVE-2026-54231
Abrt: unsanitized systemd journal content written to dump di - CVE-2026-54230
Abrt: event handler scripts follow symlinks when writing out - CVE-2026-54229
Abrt: chownproblemdir succeeds during active post-create eve - CVE-2026-54228
Abrt: toctou race condition in abrt-dbus setelement allows a - CVE-2026-53702
Gstreamer1-plugins-bad-free: gstreamer: stack buffer overflo
Same weakness: CWE-347
- CVE-2026-48558
SimpleHelp Authentication Bypass via Missing OIDC JWT Signat - CVE-2026-50010
Netty's wrapping plain trust manager silently disables hostn - CVE-2026-50634
Apache CXF: WS JSON request filter trusts metadata from an u - CVE-2026-41005
UAA accepts SAML Encrypted Assertions authentication bypass - CVE-2026-10795
UpdraftPlus: WP Backup & Migration Plugin <= 1.26.4 - Unauth
V. Comments for CVE-2026-9793
No comments yet