CVE-2026-9087

Summary

A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat build of Keycloak 26.426.4.13-1 < *unaffected
Red HatRed Hat build of Keycloak 26.426.4-19 < *unaffected
Red HatRed Hat build of Keycloak 26.426.4-19 < *unaffected
Red HatRed Hat build of Keycloak 26.626.6.3-3 < *unaffected
Red HatRed Hat build of Keycloak 26.626.6-6 < *unaffected
Red HatRed Hat build of Keycloak 26.626.6-6 < *unaffected

Weaknesses

  • CWE-639: Authorization Bypass Through User-Controlled Key

Workarounds

To mitigate this issue, configure the affected identity provider to set trustEmail=true. This ensures that Keycloak trusts the email address provided by the upstream identity provider, bypassing the vulnerable verification flow. This mitigation should only be applied if the upstream identity provider is fully trusted to verify email addresses and prevent malicious account creation with existing email addresses. Configuration changes may require a Keycloak service restart or reload to take effect.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References