CVE-2026-16093
Received Received - Intake

Keycloak Client Policy Bypass via Unsigned JWT Assertion

Vulnerability report for CVE-2026-16093, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: Red Hat, Inc.

Description

Keycloak provides a mechanism called Client Policies to enforce security requirements on clients, such as requiring them to use signed JWTs for authentication. A flaw was discovered where this enforcement can be bypassed. An attacker with valid client credentials can provide a fake, unsigned assertion header that tricks the system into thinking the policy requirements have been met. This allows the attacker to authenticate using simpler methods like a client secret even when the administrator has mandated more secure, signed assertions.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
redhat keycloak From 17.0.0 (inc)
keycloak keycloak *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-807 The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Keycloak allows attackers to bypass security policies requiring signed JWTs for client authentication. By providing a fake unsigned assertion header with a valid algorithm field, the system incorrectly assumes the policy requirements are met. This lets attackers authenticate using weaker methods like client secrets even when stronger signed assertions are mandated.

Detection Guidance

To detect this vulnerability, monitor Keycloak logs for authentication attempts using unsigned JWTs when signed assertions are enforced. Check for requests with valid alg fields but missing proper assertion headers. Review client authentication logs for anomalies where clients bypass policy requirements.

Impact Analysis

An attacker with valid client credentials could exploit this to authenticate without proper signed assertions, potentially gaining unauthorized access to resources or performing actions they shouldn't. This undermines enforced security policies and could lead to data breaches or privilege escalation if the attacker gains elevated access.

Compliance Impact

This vulnerability could violate compliance requirements that mandate strong authentication methods like signed JWTs. Organizations relying on Keycloak's client policies for regulatory compliance may fail audits if this flaw allows weaker authentication methods to bypass mandated security controls.

Mitigation Strategies

Apply the latest Keycloak patches immediately. Review and update Client Policies to enforce strict signed JWT validation. Disable unsigned assertion headers in configurations. Monitor for unauthorized authentication attempts and restrict client credentials to trusted methods.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-16093. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart