Cross-Session Flaw in Keycloak Affects Identity Management Solution
CVE-2026-9087

6.4MEDIUM

Key Information:

Vendor

Red Hat
Status
Red Hat Build Of Keycloak 26.4
Red Hat Build Of Keycloak 26.4.13
Red Hat Build Of Keycloak 26.6
Red Hat Build Of Keycloak 26.6.3
Vendor
CVE Published:
20 May 2026

What is CVE-2026-9087?

A security flaw exists in Keycloak where cross-session verification relies solely on local user identifiers, leading to potential misuse by attackers. When verified upstream accounts are not securely associated with the user's local identity, multiple accounts on the same Identity Provider (IdP) can exploit this vulnerability. This means that an attacker with another account on the same IdP might gain unauthorized access to the victim's local account, potentially compromising sensitive information and user privacy.

Affected Version(s)

Red Hat build of Keycloak 26.4 26.4.13-1

Red Hat build of Keycloak 26.4 26.4-19

Red Hat build of Keycloak 26.4 26.4-19

References

https://access.redhat.com/errata/RHSA-2026:25097
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:25098
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:30049
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.