CVE-2026-9087
MediumCVSS 6.4Exploitation Probability (EPSS)
Low risk23th percentile - higher than 23% of all known CVEs
Summary
A flaw was found in Keycloak where the cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, allowing a second upstream account on the same IdP to consume it and get linked to the victim's local account.
Risk Assessment
The risk involves potential unauthorized account takeover by an attacker with another account on the same identity provider, leading to confidentiality and integrity breaches of user data.
Recommendation
It is recommended to immediately update Keycloak to a version that fixes this vulnerability and implement mechanisms to bind the verification proof to the specific upstream account.
Original NVD description (English source)
A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account.

