GHSA-p3v8-fm5p-v84hMediumCVSS 5.9
Keycloak has an Improper Verification of Cryptographic Signature issue
🔗 CVE IDs covered (1)
📋 Description
A flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This allows a remote attacker to submit unauthorized claims, leading to a compromise of data integrity within the OpenID Connect (OIDC) authorization flow. While a redirect URI allowlist acts as a compensating control, this vulnerability violates OIDC Core and Financial-grade API (FAPI) signing requirements.
🎯 Affected products1
- maven/org.keycloak:keycloak-services:<= 26.6.4