CVE-2026-14781
Received Received - Intake

Email Verification Bypass in Keycloak OIDC Broker

Vulnerability report for CVE-2026-14781, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: Red Hat, Inc.

Description

A flaw exists in the org.keycloak.broker.oidc package where the OIDC broker incorrectly synchronizes the email_verified claim. When an OIDC identity provider is configured with trustEmail=true and the userinfo endpoint is enabled, Keycloak retrieves the email address from the userinfo response but retrieves the email_verified status exclusively from the id_token. The root cause is a lack of validation ensuring that the email_verified claim in the id_token actually refers to the email address returned by the userinfo endpoint. If these two sources return different email addresses, the id_token's email_verified=true claim is blindly applied to the userinfo email. Exploitation Conditions: The OIDC identity provider must have trustEmail set to true (non-default). The userinfo endpoint must be enabled (default). The attacker must control or have compromised the upstream OIDC provider. Concrete Impact: Mark arbitrary email addresses as verified in the Keycloak database. Bypass email-based security controls or verification workflows. Potential account takeover if the application relies solely on the email_verified flag from the IdP to link accounts.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-05
AI Q&A
2026-07-05
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
jboss keycloak From 2026-07-05 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1288 The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validates that the input is actually consistent.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the org.keycloak.broker.oidc package of Keycloak. It occurs because the OIDC broker incorrectly synchronizes the email_verified claim when an OIDC identity provider is configured with trustEmail=true and the userinfo endpoint is enabled. Specifically, Keycloak retrieves the email address from the userinfo response but takes the email_verified status only from the id_token without validating that the email_verified claim corresponds to the same email address returned by the userinfo endpoint.

If the id_token and userinfo endpoint return different email addresses, the email_verified=true claim from the id_token is wrongly applied to the email address from the userinfo endpoint. This flaw can be exploited if an attacker controls or has compromised the upstream OIDC provider.

Impact Analysis

This vulnerability can have several impacts:

  • It allows marking arbitrary email addresses as verified in the Keycloak database.
  • It can be used to bypass email-based security controls or verification workflows.
  • It may lead to potential account takeover if an application relies solely on the email_verified flag from the identity provider to link accounts.
Mitigation Strategies

To mitigate this vulnerability, ensure that the OIDC identity provider configuration does not have trustEmail set to true unless absolutely necessary.

Consider disabling the userinfo endpoint if it is not required, as the vulnerability depends on it being enabled.

Review and update Keycloak to a version where this flaw is fixed once a patch is available.

Monitor and verify the integrity of your upstream OIDC providers to prevent compromise.

Compliance Impact

This vulnerability allows an attacker to falsely mark arbitrary email addresses as verified in Keycloak, potentially bypassing email-based security controls and verification workflows.

Such unauthorized account access or incorrect user data validation could lead to violations of data protection and identity verification requirements mandated by standards like GDPR and HIPAA, which require accurate user identity verification and protection of personal data.

Therefore, the flaw may undermine compliance with these regulations by enabling potential account takeovers and improper handling of verified user information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14781. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart