- 发布:
- 2026-06-10
- 已更新:
- 2026-06-10
RHSA-2026:25098 - Security Advisory
概述
Moderate: Red Hat build of Keycloak 26.6.3 Update
类型/严重性
Security Advisory: Moderate
标题
New Red Hat build of Keycloak 26.6.3 packages are available from the Customer Portal
描述
Red Hat build of Keycloak 26.6.3 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
Security fixes:
- Security restriction bypass allows unauthorized ROPC token acquisition (CVE-2026-9792)
- Privilege escalation due to oversized subject_token JWT (CVE-2026-9704)
- Denial of Service via malformed LDAP password policy response (CVE-2026-9801)
- Denial of Service via malformed Authorization header (CVE-2026-9803)
- Organization Data Leak After Feature Disabled in Keycloak (CVE-2026-9791)
- Information disclosure via SAML ECP endpoint (CVE-2026-9794)
- Unauthorized account access via replayed refresh tokens after cluster restart (CVE-2026-9802)
- Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login (CVE-2026-9087)
- Information disclosure due to user profile permission bypass (CVE-2026-9088)
- Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation (CVE-2026-8830)
- Improper Access Control on Keycloak Server when the account Account API feature is disabled (CVE-2026-7500)
- Security flaw in org.keycloak/keycloak-services (CVE-2026-8922)
- Information disclosure via CORS header injection due to unvalidated JWT azp claim (CVE-2026-37977)
- Server-Side Request Forgery via OIDC token endpoint manipulation (CVE-2026-4874)
解决方案
Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.
受影响的产品
- Red Hat build of Keycloak Text-only Advisories x86_64
修复
(none)CVE
Red Hat 安全团队联络方式为 secalert@redhat.com。 更多联络细节请参考 https://access.redhat.com/security/team/contact/。
