{ "threat_severity" : "Important", "public_date" : "2026-02-09T18:21:00Z", "bugzilla" : { "description" : "org.keycloak.services.resources.organizations: Keycloak: Unauthorized organization registration via improper invitation token validation", "id" : "2433783", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2433783" }, "cvss3" : { "cvss3_base_score" : "8.1", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-347", "details" : [ "A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token (JWT) payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an unauthorized organization, leading to unauthorized access.", "A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token (JWT) payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an unauthorized organization, leading to unauthorized access." ], "statement" : "This IMPORTANT flaw in Keycloak allows an attacker to register into an unauthorized organization. The vulnerability arises from improper cryptographic signature verification of organization invitation tokens, enabling modification of the organization ID and target email within the JWT payload.", "acknowledgement" : "Red Hat would like to thank Joy Gilbert (gwthr) and Reynaldo Immanuel for reporting this issue.", "affected_release" : [ { "product_name" : "Red Hat build of Keycloak 26.2", "release_date" : "2026-02-09T00:00:00Z", "advisory" : "RHSA-2026:2364", "cpe" : "cpe:/a:redhat:build_keycloak:26.2::el9", "package" : "rhbk/keycloak-operator-bundle:26.2.13-1" }, { "product_name" : "Red Hat build of Keycloak 26.2", "release_date" : "2026-02-09T00:00:00Z", "advisory" : "RHSA-2026:2364", "cpe" : "cpe:/a:redhat:build_keycloak:26.2::el9", "package" : "rhbk/keycloak-rhel9:26.2-15" }, { "product_name" : "Red Hat build of Keycloak 26.2", "release_date" : "2026-02-09T00:00:00Z", "advisory" : "RHSA-2026:2364", "cpe" : "cpe:/a:redhat:build_keycloak:26.2::el9", "package" : "rhbk/keycloak-rhel9-operator:26.2-15" }, { "product_name" : "Red Hat build of Keycloak 26.2.13", "release_date" : "2026-02-09T00:00:00Z", "advisory" : "RHSA-2026:2363", "cpe" : "cpe:/a:redhat:build_keycloak:26.2::el9", "package" : "rhbk/keycloak-rhel9" }, { "product_name" : "Red Hat build of Keycloak 26.4", "release_date" : "2026-02-09T00:00:00Z", "advisory" : "RHSA-2026:2366", "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9", "package" : "rhbk/keycloak-operator-bundle:26.4.9-1" }, { "product_name" : "Red Hat build of Keycloak 26.4", "release_date" : "2026-02-09T00:00:00Z", "advisory" : "RHSA-2026:2366", "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9", "package" : "rhbk/keycloak-rhel9:26.4-11" }, { "product_name" : "Red Hat build of Keycloak 26.4", "release_date" : "2026-02-09T00:00:00Z", "advisory" : "RHSA-2026:2366", "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9", "package" : "rhbk/keycloak-rhel9-operator:26.4-10" }, { "product_name" : "Red Hat build of Keycloak 26.4.9", "release_date" : "2026-02-09T00:00:00Z", "advisory" : "RHSA-2026:2365", "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9", "package" : "rhbk/keycloak-rhel9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-1529\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-1529" ], "name" : "CVE-2026-1529", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.", "lang" : "en:us" }, "csaw" : false }