Email Verification Flaw in Keycloak OIDC Broker by Red Hat
CVE-2026-14781

4.8MEDIUM

What is CVE-2026-14781?

A security vulnerability in the org.keycloak.broker.oidc package allows the OIDC broker to wrongly handle the email_verified claim. When configured with trustEmail=true and with the userinfo endpoint enabled, Keycloak retrieves the user's email address from the userinfo response while relying on the email_verified status from the id_token without validating the correlation between them. This flaw can enable an attacker, who controls the OIDC provider, to mark arbitrary email addresses as verified within the Keycloak database. Such exploitation poses a risk of bypassing email security measures and can lead to potential account takeovers if the application depends solely on the email_verified flag from the IdP to link accounts.

References

CVSS V3.1

Score:
4.8
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Kevin Bozell for reporting this issue.
.