Keycloak Cross-Session Verification Key Allows Upstream IdP Account Consuming
CVE-2026-9087 Published on May 20, 2026

Keycloak: cross-session email verification proof not bound to upstream identity in first-broker-login
A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account.

NVD

Vulnerability Analysis

CVE-2026-9087 can be exploited with network access, requires user interaction and a small amount of user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.

Attack Vector:
NETWORK
Attack Complexity:
HIGH
Privileges Required:
LOW
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
NONE

Timeline

Reported to Red Hat.

Made public.

Weakness Type

What is an Insecure Direct Object Reference / IDOR Vulnerability?

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

CVE-2026-9087 has been classified to as an Insecure Direct Object Reference / IDOR vulnerability or weakness.


Products Associated with CVE-2026-9087

Want to know whenever a new CVE is published for Red Hat Build Keycloak? stack.watch will email you.

Red Hat Build Keycloak
 

Affected Versions

Red Hat Build of Keycloak: