What is GHSA-p3v8-fm5p-v84h?

GHSA-p3v8-fm5p-v84h is a security advisory published by GitHub Security Advisories with Medium severity. A flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request object is...

Which CVE IDs does GHSA-p3v8-fm5p-v84h cover?

GHSA-p3v8-fm5p-v84h covers the following CVE IDs: CVE-2026-9793. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-p3v8-fm5p-v84h?

GHSA-p3v8-fm5p-v84h has a CVSS v3 base score of 5.9, published by GitHub Security Advisories.

GHSA-p3v8-fm5p-v84hMediumCVSS 5.9

A flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request object is...

Vendor

GitHub Security Advisories

Published

May 28, 2026

Last Modified

May 28, 2026

🔗 CVE IDs covered (1)

CVE-2026-9793 →

📋 Description

A flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This allows a remote attacker to submit unauthorized claims, leading to a compromise of data integrity within the OpenID Connect (OIDC) authorization flow. While a redirect URI allowlist acts as a compensating control, this vulnerability violates OIDC Core and Financial-grade API (FAPI) signing requirements.

🔗 References (4)

https://nvd.nist.gov/vuln/detail/CVE-2026-9793
https://access.redhat.com/security/cve/CVE-2026-9793
https://bugzilla.redhat.com/show_bug.cgi?id=2482460
https://github.com/advisories/GHSA-p3v8-fm5p-v84h