DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-1529: Keycloak Unlocked: Bypassing Org Security with CVE-2026-1529

#security #cve #cybersecurity

Keycloak Unlocked: Bypassing Org Security with CVE-2026-1529

Vulnerability ID: CVE-2026-1529
CVSS Score: 8.1
Published: 2026-02-09

A critical lapse in cryptographic hygiene within Keycloak's 'Organizations' feature allows attackers to forge invitation tokens. By neglecting to verify the digital signature of JSON Web Tokens (JWTs), Keycloak inadvertently permitted anyone with a valid invite to modify the payload—swapping organization IDs and email addresses—to gain unauthorized access to restricted tenants.

TL;DR

Keycloak forgot to verify JWT signatures in the organization invitation flow. Attackers can take a valid invite token, change the organization ID in the payload to whatever they want, and self-register into restricted organizations without a valid key. It's a high-severity bypass (CVSS 8.1) affecting versions prior to late January 2026.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-347 (Improper Verification of Cryptographic Signature)
  • CVSS v3.1: 8.1 (High)
  • Attack Vector: Network (AV:N)
  • Privileges Required: Low (PR:L)
  • Exploit Status: PoC Available
  • EPSS Score: 0.00016 (Rising)
  • Impact: High Integrity & Confidentiality Loss

Affected Systems

  • Keycloak 26.2.x prior to 26.2.13-1
  • Keycloak 26.4.x prior to 26.4.9-1
  • Red Hat build of Keycloak (RHBK)
  • Keycloak: 26.2.0 - 26.2.12 (Fixed in: 26.2.13-1)
  • Keycloak: 26.4.0 - 26.4.8 (Fixed in: 26.4.9-1)

Code Analysis

Commit: 8fc9a98

Fix: Verify invitation token signature in Organizations resource

TokenVerifier.create(...) -> TokenVerifier.create(...).withChecks(...).verifier(...).verify()
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub: Python script for modifying JWT claims in Keycloak invitation tokens
  • GitHub: Registration endpoint bypass tool

Mitigation Strategies

  • Update Keycloak to the latest patched version immediately.
  • Disable the 'Organizations' feature profile if not strictly required.
  • Audit registration logs for suspicious organization IDs or email domain mismatches.

Remediation Steps:

  1. Identify current Keycloak version (e.g., via admin console or version endpoint).
  2. Download the patched distribution (26.2.13-1+, 26.4.9-1+).
  3. Back up the database and realm configurations.
  4. Deploy the new binaries and restart the Keycloak service.
  5. Verify the fix by attempting to use a modified token against the registration endpoint (it should now fail).

References

Read the full report for CVE-2026-1529 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)