CVE-2026-9793
ADVISORY - githubSummary
A flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This allows a remote attacker to submit unauthorized claims, leading to a compromise of data integrity within the OpenID Connect (OIDC) authorization flow. While a redirect URI allowlist acts as a compensating control, this vulnerability violates OIDC Core and Financial-grade API (FAPI) signing requirements.
EPSS Score: 0.0012 (0.021)
Common Weakness Enumeration (CWE)
ADVISORY - nist
Improper Verification of Cryptographic Signature
ADVISORY - github
Improper Verification of Cryptographic Signature
ADVISORY - redhat
Improper Verification of Cryptographic Signature
NIST
CREATED
UPDATED
ADVISORY IDCVE-2026-9793
EXPLOITABILITY SCORE
2.2
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
5.9mediumGitHub
CREATED
UPDATED
ADVISORY IDGHSA-p3v8-fm5p-v84h
EXPLOITABILITY SCORE
2.2
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
5.9mediumRed Hat
CREATED
UPDATED
ADVISORY IDCVE-2026-9793
EXPLOITABILITY SCORE
2.2
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)