CVE-2026-9793
EUVD-2026-3270728.05.2026, 05:16
A flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This allows a remote attacker to submit unauthorized claims, leading to a compromise of data integrity within the OpenID Connect (OIDC) authorization flow. While a redirect URI allowlist acts as a compensating control, this vulnerability violates OIDC Core and Financial-grade API (FAPI) signing requirements.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| redhat | build_of_keycloak | - |
𝑥
= Vulnerable software versions
Common Weakness Enumeration
Vulnerability Media Exposure