CVE-2026-9793
Analyzed Analyzed - Analysis Complete
Keycloak JWE Unsigned Claims Processing Bypass

Publication date: 2026-05-28

Last updated on: 2026-06-03

Assigner: Red Hat, Inc.

Description
A flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This allows a remote attacker to submit unauthorized claims, leading to a compromise of data integrity within the OpenID Connect (OIDC) authorization flow. While a redirect URI allowlist acts as a compensating control, this vulnerability violates OIDC Core and Financial-grade API (FAPI) signing requirements.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-03
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-9793
EUVD
EUVD-2026-32707
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat build_of_keycloak *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Keycloak and involves the processing of JSON Web Encryption (JWE) encrypted request objects. When such a request is submitted, if the decrypted content is raw JSON, Keycloak may incorrectly process unsigned claims by bypassing the configured signature policy.

As a result, a remote attacker can submit unauthorized claims, which compromises the integrity of data within the OpenID Connect (OIDC) authorization flow.

Impact Analysis

The vulnerability allows a remote attacker to submit unauthorized claims during the OIDC authorization process, potentially compromising data integrity.

This means that an attacker could manipulate authorization data, leading to unauthorized access or actions within systems relying on Keycloak for authentication and authorization.

Compliance Impact

This vulnerability violates the signing requirements of the OpenID Connect (OIDC) Core and Financial-grade API (FAPI) standards.

Since these standards are often part of compliance frameworks related to data security and integrity, such as those required by regulations like GDPR and HIPAA, the flaw could negatively impact compliance by undermining the assurance of data integrity and secure authorization flows.

Mitigation Strategies

An immediate mitigating control is to use a redirect URI allowlist, which can help reduce the risk by limiting where requests can be redirected.

However, this is only a compensating control and does not fully address the vulnerability, which violates OIDC Core and Financial-grade API (FAPI) signing requirements.

It is recommended to apply any available patches or updates from the vendor to fix the underlying flaw in Keycloak's processing of JSON Web Encryption (JWE) encrypted request objects.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9793. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart