Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

Red Hat build of Keycloak 26.6 — Vulnerabilities & Security Advisories 14

All 14 CVE vulnerabilities found in Red Hat build of Keycloak 26.6, with AI-generated Chinese analysis, references, and POCs.

This page documents vulnerability aggregation for the Red Hat build of Keycloak 26.6 product, focusing on common weaknesses such as CWE types. It collects security issues related to authentication flaws, authorization bypasses, and configuration errors that impact the identity and access management capabilities of this specific enterprise-grade implementation. The scope includes vulnerabilities identified and tracked within a defined historical timeframe, ensuring comprehensive coverage of known risks associated with this release version. Readers can utilize this resource to track vendor advisories from Red Hat, understand the implications of specific weakness classes within the Keycloak ecosystem, and look up the product’s vulnerability history to assess exposure levels. By analyzing these aggregated data points, security teams can prioritize remediation efforts and align patching strategies with organizational risk tolerance. This information supports informed decision-making regarding upgrades, compensating controls, and threat modeling activities. The page serves as a centralized reference for IT professionals managing Red Hat Keycloak deployments, providing clear insights into the security posture of version 26.6 without requiring navigation through multiple disparate sources. Access to this structured data enables faster response times during incident investigations and enhances overall compliance reporting processes.

Vendor: Red Hat

CVE IDTitleCVSSSeverityPublished
CVE-2026-9088 Keycloak: keycloak: information disclosure due to user profile permission bypass CWE-1220 2.7 Low2026-06-05
CVE-2026-9803 Keycloak: keycloak: denial of service via malformed authorization header CWE-125 5.3 Medium2026-05-28
CVE-2026-9802 Keycloak: keycloak: unauthorized account access via replayed refresh tokens after cluster restart CWE-613 6.8 Medium2026-05-28
CVE-2026-9801 Keycloak: keycloak: denial of service via malformed ldap password policy response CWE-1284 4.9 Medium2026-05-28
CVE-2026-9794 Keycloak: keycloak: information disclosure via saml ecp endpoint CWE-209 5.3 Medium2026-05-28
CVE-2026-9792 Keycloak: keycloak: security restriction bypass allows unauthorized ropc token acquisition CWE-280 6.5 Medium2026-05-28
CVE-2026-9791 Keycloak-rhel9: organization data leak after feature disabled in keycloak CWE-863 4.3 Medium2026-05-28
CVE-2026-9704 Keycloak: keycloak: privilege escalation due to oversized subject_token jwt CWE-1284 6.8 Medium2026-05-27
CVE-2026-9087 Keycloak: cross-session email verification proof not bound to upstream identity in first-broker-login CWE-639 6.4 Medium2026-05-20
CVE-2026-8922 Org.keycloak/keycloak-services: keycloak: org.keycloak.protocol.oidc: security flaw in org.keycloak/keycloak-services CWE-303 5.4 Medium2026-05-19
CVE-2026-8830 Keycloak: org.keycloak/keycloak-services: keycloak: policy bypass during webauthn credential registration via client-side javascript manipulation CWE-603 4.3 Medium2026-05-19
CVE-2026-7500 Org.keycloak.keycloak-services: improper access control on keycloak server when the account account api feature is disabled CWE-425 5.4 Medium2026-04-30
CVE-2026-37977 Keycloak: org.keycloak.protocol.oidc.grants.ciba: keycloak: information disclosure via cors header injection due to unvalidated jwt azp claim CWE-346 3.7 Low2026-04-06
CVE-2026-4874 Org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: keycloak: server-side request forgery via oidc token endpoint manipulation CWE-918 3.1 Low2026-03-26

All 14 known CVE vulnerabilities affecting Red Hat build of Keycloak 26.6 with full Chinese analysis, references, and POCs where available.