Email Verification Flaw in Keycloak OIDC Broker by Red Hat
CVE-2026-14781
What is CVE-2026-14781?
A security vulnerability in the org.keycloak.broker.oidc package allows the OIDC broker to wrongly handle the email_verified claim. When configured with trustEmail=true and with the userinfo endpoint enabled, Keycloak retrieves the user's email address from the userinfo response while relying on the email_verified status from the id_token without validating the correlation between them. This flaw can enable an attacker, who controls the OIDC provider, to mark arbitrary email addresses as verified within the Keycloak database. Such exploitation poses a risk of bypassing email security measures and can lead to potential account takeovers if the application depends solely on the email_verified flag from the IdP to link accounts.
References
CVSS V3.1
Timeline
Vulnerability published
Vulnerability Reserved