CVE-2026-9087
Public on 2026-05-20
Modified on 2026-05-21
Description
A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId,
idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account.
idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | keycloak-httpd-client-install | Not Affected |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 6.4 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |