GHSA-m6qj-3mpp-57v8MediumCVSS 6.4

Keycloak: Insufficient verification proof scoping enables identity provider account linking attack and account compromise

Published
May 20, 2026
Last Modified
June 11, 2026

🔗 CVE IDs covered (1)

📋 Description

A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account.

🎯 Affected products1

  • maven/org.keycloak:keycloak-services:< 26.6.3

🔗 References (8)