Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN685 _____________________________________________________________________ DATE : 29/06/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running keycloak, keycloak-services (Maven) versions prior to 26.6.4, keycloak-policy-enforcer (Maven) versions prior to 26.0.10. ===================================================================== https://github.com/keycloak/keycloak/security/advisories/GHSA-f5p5-6xmx-p252 https://github.com/keycloak/keycloak/security/advisories/GHSA-j97h-3f8r-mrjr https://github.com/keycloak/keycloak/security/advisories/GHSA-2qxf-v3g6-73v9 https://github.com/keycloak/keycloak/security/advisories/GHSA-v3f7-2p4r-mwfw https://github.com/keycloak/keycloak/security/advisories/GHSA-32h4-44jj-c5vx https://github.com/keycloak/keycloak/security/advisories/GHSA-r7rc-c989-86g6 https://github.com/keycloak/keycloak/security/advisories/GHSA-9jrw-8xf7-xqhq https://github.com/keycloak/keycloak/security/advisories/GHSA-w3p3-7cjg-vgfw _____________________________________________________________________ Authorization bypass via incorrect uri comparison High pskopek published GHSA-f5p5-6xmx-p252 Package No package listed Affected versions < 26.6.4 Patched versions 26.6.4 org.keycloak:keycloak-policy-enforcer (Maven) Affected versions < 26.0.10 Patched versions 26.0.10 Description Description A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied page path within a request URL, either as a path segment or a query parameter, an attacker can gain unauthorized access to protected resources. Severity High 8.1/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction None Scope Unchanged Confidentiality High Integrity High Availability None CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE ID CVE-2026-9800 Weaknesses Weakness CWE-1025 ______________________________________________________________ Authentication bypass via jwt algorithm confusion High pskopek published GHSA-j97h-3f8r-mrjr Package org.keycloak:keycloak-services (Maven) Affected versions < 26.6.4 Patched versions 26.6.4 Description Description A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to impersonate any federated user linked to the affected Identity Provider, leading to unauthorized access and potential privilege escalation. Severity High 8.1/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction None Scope Unchanged Confidentiality High Integrity High Availability None CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVE ID CVE-2026-11800 Weaknesses Weakness CWE-347 _____________________________________________________________________ group-admin escalation to realm-admin High pskopek published GHSA-2qxf-v3g6-73v9 Package No package listed Affected versions < 26.6.4 Patched versions 26.6.4 Description Description A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 (FGAPv2) is enabled, an attacker with management rights over a single low-privilege group can reparent a highly privileged group (such as one possessing the realm-admin role) under their managed group. Because group permissions follow a hierarchical structure, this action unauthorizedly grants the attacker management and password-reset capabilities over the members of the targeted privileged group. An attacker can exploit this to reset an administrator's password, compromise the account, and achieve a full realm takeover, leading to a complete compromise of confidentiality, integrity, and availability. Severity High 7.7/ 10 CVSS v3 base metrics Attack vector Network Attack complexity High Privileges required High User interaction None Scope Changed Confidentiality High Integrity High Availability None CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N CVE ID CVE-2026-9099 Weaknesses Weakness CWE-639 _____________________________________________________________________ Cross-site scripting (xss) via case-insensitive uri validation bypass High pskopek published GHSA-v3f7-2p4r-mwfw Package No package listed Affected versions < 26.6.4 Patched versions 26.6.4 Description Description A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with manage-client permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive javascript: or data: scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console. Severity High 7.3/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction Required Scope Unchanged Confidentiality High Integrity High Availability None CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N CVE ID CVE-2026-9086 Weaknesses Weakness CWE-79 _____________________________________________________________________ Privilege escalation via improper scope mapping enforcement High pskopek published GHSA-32h4-44jj-c5vx Package No package listed Affected versions < 26.6.4 Patched versions 26.6.4 Description Description A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security controls, allowing the injected role to be projected into a user's authentication token when they access the modified client. This could lead to unauthorized privilege escalation within the Keycloak realm. Severity High 7.3/ 10 CVSS v3 base metrics Attack vector Network Attack complexity High Privileges required High User interaction Required Scope Changed Confidentiality High Integrity High Availability None CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N CVE ID CVE-2026-9795 Weaknesses Weakness CWE-266 _____________________________________________________________________ Attacker can re-enable and take over disabled clients via registration access token Moderate pskopek published GHSA-r7rc-c989-86g6 Package No package listed Affected versions < 26.6.4 Patched versions 26.6.4 Description Description A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This bypasses security controls, allowing the attacker to reset the client's secret and potentially regain privileged API access. The primary impact includes unauthorized information disclosure and potential integrity compromise. Severity Moderate 6.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality Low Integrity Low Availability None CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVE ID CVE-2026-9705 Weaknesses Weakness CWE-613 _____________________________________________________________________ Information disclosure through arbitrary filesystem path probing Moderate pskopek published GHSA-9jrw-8xf7-xqhq Package No package listed Affected versions < 26.6.4 Patched versions 26.6.4 Description Description A flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining which files exist and are readable by the Keycloak process. This information disclosure could be used to identify high-value targets for follow-on attacks. Severity Moderate 4.9/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required High User interaction None Scope Unchanged Confidentiality High Integrity None Availability None CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N CVE ID CVE-2026-9083 Weaknesses Weakness CWE-22 _____________________________________________________________________ Unauthorized access to resources via uma permission ticket bypass Moderate pskopek published GHSA-w3p3-7cjg-vgfw Package No package listed Affected versions < 26.6.4 Patched versions 26.6.4 Description Description A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. This allows the user to gain unauthorized access to all resources of that type within the same resource server, even if they do not have a ticket for those specific resources. This vulnerability requires the resource server to be configured in PERMISSIVE policy enforcement mode and affects typed resources with ownerManagedAccess enabled, where no explicit policy protects the resource type. The primary consequence is unauthorized information disclosure or modification of resources. Severity Moderate 4.6/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction Required Scope Unchanged Confidentiality Low Integrity Low Availability None CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N CVE ID CVE-2026-9799 Weaknesses Weakness CWE-639 ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================