CVE-2026-9087
Keycloak Session Linking Vulnerability via IdP Identity Confusion
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | keycloak | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Keycloak's cross-session email verification process. The verification proof is keyed only by the local user ID and the identity provider alias, but it is not bound to the specific upstream identity that was actually verified.
As a result, a second upstream account from the same identity provider can misuse this verification proof to link itself to the victim's local account.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized linking of accounts. An attacker controlling a second upstream account on the same identity provider can consume the verification proof intended for another user and link their account to the victim's local account.
This could result in unauthorized access or actions performed under the victim's local account, potentially compromising confidentiality and integrity of the victim's data.