CVE-2026-11800
ADVISORY - dockerSummary
Description
A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthorized access tokens. This enables the attacker to impersonate any federated user linked to the affected Identity Provider, leading to unauthorized access and potential privilege escalation.
EPSS Score: 0.0019 (0.088)
Common Weakness Enumeration (CWE)
Docker
CREATED
UPDATED
ADVISORY ID
CVE-2026-11800
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
| Package | Type | OS Name | OS Version | Affected Ranges | Fix Versions |
|---|---|---|---|---|---|
| keycloak | dhi | - | - | <26.6.4 | 26.6.4 |
Severity and metrics
No CVSS data available from this advisory.