Cross-Session Flaw in Keycloak Affects Identity Management Solution
CVE-2026-9087

6.4MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Keycloak
Vendor: CVE Published:; 20 May 2026

What is CVE-2026-9087?

A security flaw exists in Keycloak where cross-session verification relies solely on local user identifiers, leading to potential misuse by attackers. When verified upstream accounts are not securely associated with the user's local identity, multiple accounts on the same Identity Provider (IdP) can exploit this vulnerability. This means that an attacker with another account on the same IdP might gain unauthorized access to the victim's local account, potentially compromising sensitive information and user privacy.

References

https://access.redhat.com/security/cve/CVE-2026-9087

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2480172

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
May 20, 2026

CVE-2026-9087 Data

JSON

Red Hat

What is CVE-2026-9087?

References

CVSS V3.1

Timeline