CVE Catalog

CVE-2026-9087

MediumCVSS 6.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.31%

23th percentile - higher than 23% of all known CVEs

Summary

A flaw was found in Keycloak where the cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, allowing a second upstream account on the same IdP to consume it and get linked to the victim's local account.

Risk Assessment

The risk involves potential unauthorized account takeover by an attacker with another account on the same identity provider, leading to confidentiality and integrity breaches of user data.

Recommendation

It is recommended to immediately update Keycloak to a version that fixes this vulnerability and implement mechanisms to bind the verification proof to the specific upstream account.

Original NVD description (English source)

A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS