Intel

AIKIDO-2026-271447

keycloak-services is vulnerable to Authentication Bypass

Authentication BypassCVE-2026-11800 Published 3 days ago

81

High Risk

This Affects:

JAVAkeycloak-services
26.0.0 - 26.6.3
Fixed in 26.6.4
Are you affected? Scan for Free

TL;DR

keycloak-services validates JWT assertions in the JWT Authorization Grant flow and related JWT public-key client authenticators without restricting the signature to asymmetric algorithms. A client holding valid credentials can forge an assertion signed with a symmetric algorithm such as HS256, causing the server to verify the signature using known public key material as the HMAC secret. This algorithm confusion bypasses signature verification and lets the caller mint access tokens that impersonate any federated user linked to the affected identity provider. The fix rejects symmetric algorithms in the public-key JWT validators and only permits them for the dedicated client-secret-jwt authentication flow.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your realm has a JWT Authorization Grant or JWT-based federated identity provider configured.

Background info

keycloak-services is vulnerable to Authentication Bypass in versions 26.0.0 - 26.6.3.

How to fix this

Upgrade the org.keycloak:keycloak-services library to the patch version.