- Issued:
- 2026-06-25
- Updated:
- 2026-06-25
RHSA-2026:30083 - Security Advisory
Synopsis
Important: Red Hat build of Keycloak 26.6.4 Security Update
Type/Severity
Security Advisory: Important
Topic
New Red Hat build of Keycloak 26.6.4 packages are available from the Customer Portal
Description
Red Hat build of Keycloak 26.6.4 is a standalone server, based on
the Keycloak project, that provides authentication and
standards-based single sign-on capabilities for web and mobile
applications.
Security fixes:
- Information disclosure via CORS header injection due to unvalidated JWT azp claim (CVE-2026-37977)
- Server-Side Request Forgery via OIDC token endpoint manipulation (CVE-2026-4874)
- eclipse-vertx/vert.x: Denial of Service via TLS handshake with wildcard server name (CVE-2026-6860)
- Improper Access Control on Keycloak Server when the account Account API feature is disabled (CVE-2026-7500)
- Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation (CVE-2026-8830)
- Security flaw in org.keycloak/keycloak-services (CVE-2026-8922)
- Information disclosure through arbitrary filesystem path probing (CVE-2026-9083)
- Cross-site scripting (XSS) via case-insensitive URI validation bypass (CVE-2026-9086)
- Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login (CVE-2026-9087)
- Information disclosure due to user profile permission bypass (CVE-2026-9088)
- Group-Admin Escalation to Realm-Admin (CVE-2026-9099)
- Privilege escalation due to oversized subject_token JWT (CVE-2026-9704)
- Attacker can re-enable and take over disabled clients via Registration Access Token (CVE-2026-9705)
- Organization Data Leak After Feature Disabled in Keycloak (CVE-2026-9791)
- Security restriction bypass allows unauthorized ROPC token acquisition (CVE-2026-9792)
- Information disclosure via SAML ECP endpoint (CVE-2026-9794)
- Privilege escalation via improper scope mapping enforcement (CVE-2026-9795)
- Unauthorized access to resources via UMA permission ticket bypass (CVE-2026-9799)
- Authorization bypass via incorrect URI comparison (CVE-2026-9800)
- Denial of Service via malformed LDAP password policy response (CVE-2026-9801)
- Unauthorized account access via replayed refresh tokens after cluster restart (CVE-2026-9802)
- Denial of Service via malformed Authorization header (CVE-2026-9803)
Solution
Before applying the update, back up your existing installation,
including all applications, configuration files, databases and
database settings, and so on.
Affected Products
- Red Hat build of Keycloak Text-only Advisories x86_64
Fixes
(none)CVEs
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.