CVE-2026-8830
Analyzed Analyzed - Analysis Complete
WebAuthn Policy Bypass in Keycloak via Client-Side Manipulation

Publication date: 2026-05-19

Last updated on: 2026-06-02

Assigner: Red Hat, Inc.

Description
A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that the newly created credential's parameters, such as public key algorithms, match the realm's configured WebAuthn policies. This could lead to the creation of credentials that do not adhere to administrative security requirements, potentially weakening the overall security posture of the system by allowing non-compliant authentication methods.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-06-02
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-8830
EUVD
EUVD-2026-30841
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat build_of_keycloak *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-603 A client/server product performs authentication within client code but not in server code, allowing server-side authentication to be bypassed via a modified client that omits the authentication check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Keycloak and allows an authenticated user to bypass the configured WebAuthn policies during credential registration by manipulating client-side JavaScript.

The root cause is that the server-side processAction() function does not properly validate that the parameters of the newly created credential, such as public key algorithms, conform to the realm's configured WebAuthn policies.

As a result, users can create credentials that do not adhere to the administrative security requirements set by the system.

Impact Analysis

This vulnerability can weaken the overall security posture of the system by allowing the creation of authentication credentials that bypass established security policies.

Attackers or users could register credentials that use weaker or non-compliant authentication methods, potentially increasing the risk of unauthorized access or credential misuse.

Compliance Impact

This vulnerability allows an authenticated user to bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. As a result, credentials that do not adhere to administrative security requirements can be created.

Because the server-side process does not validate that the newly created credential's parameters match the realm's configured WebAuthn policies, this could weaken the overall security posture of the system.

Such weakening of security controls may lead to non-compliance with common standards and regulations like GDPR and HIPAA, which require strict authentication and security measures to protect sensitive data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8830. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart