Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-20T14:53:44 keycloak: Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login 6.4 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N CWE-639

A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account.

Important: A flaw in Keycloak's cross-session email verification allows an attacker to gain persistent access to a victim's local account. This occurs when an attacker controls an upstream identity provider account sharing an email with the victim, and the victim is actively linking their account while email verification is enabled and the identity provider is configured with `trustEmail=false`. The attacker can then consume the verification proof, linking their account to the victim's. To mitigate this issue, configure the affected identity provider to set `trustEmail=true`. This ensures that Keycloak trusts the email address provided by the upstream identity provider, bypassing the vulnerable verification flow. This mitigation should only be applied if the upstream identity provider is fully trusted to verify email addresses and prevent malicious account creation with existing email addresses. Configuration changes may require a Keycloak service restart or reload to take effect. Red Hat Build of Keycloak Affected rhbk/keycloak-rhel9 https://www.cve.org/CVERecord?id=CVE-2026-9087 https://nvd.nist.gov/vuln/detail/CVE-2026-9087