Red Hat Security Advisory: Red Hat build of Keycloak 26.6.3 Update

CVE-2026-4874 — org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: Keycloak: Server-Side Request Forgery via OIDC token endpoint manipulation CVE-2026-7500 — org.keycloak.keycloak-services: Improper Access Control on Keycloak Server when the account Account API feature is disabled CVE-2026-8830 — keycloak: org.keycloak/keycloak-services: Keycloak: Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation CVE-2026-8922 — org.keycloak/keycloak-services: keycloak: org.keycloak.protocol.oidc: Security flaw in org.keycloak/keycloak-services CVE-2026-9087 — keycloak: Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login CVE-2026-9088 — keycloak: Keycloak: Information disclosure due to user profile permission bypass CVE-2026-9704 — keycloak: Keycloak: Privilege escalation due to oversized subject_token JWT CVE-2026-9791 — keycloak-rhel9: Organization Data Leak After Feature Disabled in Keycloak CVE-2026-9792 — keycloak: Keycloak: Security restriction bypass allows unauthorized ROPC token acquisition CVE-2026-9794 — keycloak: Keycloak: Information disclosure via SAML ECP endpoint CVE-2026-9801 — keycloak: Keycloak: Denial of Service via malformed LDAP password policy response CVE-2026-9802 — keycloak: Keycloak: Unauthorized account access via replayed refresh tokens after cluster restart CVE-2026-9803 — keycloak: Keycloak: Denial of Service via malformed Authorization header CVE-2026-37977 — keycloak: org.keycloak.protocol.oidc.grants.ciba: Keycloak: Information disclosure via CORS header injection due to unvalidated JWT azp claim