8.1

CVE-2026-1529

Org.keycloak.services.resources.organizations: keycloak: unauthorized organization registration via improper invitation token validation

A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token (JWT) payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an unauthorized organization, leading to unauthorized access.
Daten sind bereitgestellt durch das CVE Programm von Authorized Data Publishers (ADP) (Unstrukturiert)
HerstellerRed Hat
Produkt Red Hat build of Keycloak 26.2
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat build of Keycloak 26.4
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat build of Keycloak 26.2.13
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat build of Keycloak 26.4.9
Default Statusaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.45% 0.361
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
secalert@redhat.com 8.1 2.8 5.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
0b0ca135-0b70-47e7-9f44-1890c2a1c46c 8.1 2.8 5.2
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

https://access.redhat.com/security/cve/CVE-2026-1529
https://bugzilla.redhat.com/show_bug.cgi?id=2433783
https://access.redhat.com/errata/RHSA-2026:2364
https://access.redhat.com/errata/RHSA-2026:2365
https://access.redhat.com/errata/RHSA-2026:2366
https://access.redhat.com/errata/RHSA-2026:2363
https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-1529.json