MEDIUM 6.4
GHSA-m6qj-3mpp-57v8
Keycloak: Insufficient verification proof scoping enables identity provider account linking attack and account compromise
Details
A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account.
Are you affected?
Enter the version of the package you're using.
Affected packages
Maven / org.keycloak:keycloak-services
Introduced in:
0 Fixed in: 26.6.3 Fix
# pom.xml: bump <version>26.6.3</version> for org.keycloak:keycloak-services References
- https://nvd.nist.gov/vuln/detail/CVE-2026-9087 [ADVISORY]
- https://github.com/keycloak/keycloak/commit/37dabf59d0b5ca3e5b3b272bcd3b2580e67b94dd [WEB]
- https://access.redhat.com/errata/RHSA-2026:25097 [WEB]
- https://access.redhat.com/errata/RHSA-2026:25098 [WEB]
- https://access.redhat.com/security/cve/CVE-2026-9087 [WEB]
- https://bugzilla.redhat.com/show_bug.cgi?id=2480172 [WEB]
- https://github.com/keycloak/keycloak [PACKAGE]
- https://github.com/keycloak/keycloak/releases/tag/26.6.3 [WEB]