CVE-2026-1529
JWT Manipulation in Keycloak Enables Unauthorized Organization Access
Publication date: 2026-02-09
Last updated on: 2026-02-10
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| keycloak | keycloak | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Keycloak and involves an attacker modifying the organization ID and target email within a legitimate invitation token's JSON Web Token (JWT) payload.
Because the system does not verify the cryptographic signature of the JWT payload, the attacker can alter these values and successfully self-register into an organization they are not authorized to join.
This flaw allows unauthorized access by bypassing intended access controls.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to organizations within Keycloak by allowing attackers to self-register into organizations without proper authorization.
This unauthorized access can compromise confidentiality and integrity of organizational data and resources.
Given the CVSS score of 8.1, the impact is considered high in terms of confidentiality and integrity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know