{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/keycloak-26.5.x/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-2092"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Keycloak (26.2.x)","Keycloak (26.4.x)","Keycloak (26.5.x)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","keycloak","data breach","security policy bypass"],"_cs_type":"advisory","_cs_vendors":["Keycloak"],"content_html":"\u003cp\u003eA vulnerability has been discovered in Keycloak, an open-source identity and access management solution. This flaw allows a remote attacker to potentially compromise the confidentiality of data and circumvent security policies implemented within Keycloak. The vulnerability impacts Keycloak versions 26.2.x before 26.2.14, 26.4.x before 26.4.10, and 26.5.x before 26.5.5. Exploitation of this vulnerability could lead to unauthorized access to sensitive information managed by Keycloak, and a weakening of the overall security posture of systems relying on Keycloak for authentication and authorization. The vulnerability is tracked as CVE-2026-2092.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable Keycloak instance running a version prior to 26.2.14, 26.4.10, or 26.5.5.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request exploiting CVE-2026-2092, targeting a specific endpoint or functionality within Keycloak.\u003c/li\u003e\n\u003cli\u003eThe crafted request bypasses intended security checks or access controls due to the vulnerability.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation allows the attacker to access sensitive data stored or managed by Keycloak, such as user credentials or configuration details.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the compromised credentials or configuration information to gain unauthorized access to other applications or resources protected by Keycloak.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges within the compromised application or resource, potentially gaining administrative control.\u003c/li\u003e\n\u003cli\u003eThe attacker may exfiltrate sensitive data from the compromised application or resource.\u003c/li\u003e\n\u003cli\u003eThe attacker can modify security policies within Keycloak to further their access and evade detection.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows for a breach of data confidentiality and a bypass of security policies. An attacker could gain unauthorized access to sensitive user data and resources protected by Keycloak. The number of potential victims depends on the scale of Keycloak deployment, and the sectors targeted could be any that rely on Keycloak for identity and access management. If the attack succeeds, organizations risk data breaches, unauthorized access to critical systems, and a degradation of overall security posture.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Keycloak instances to versions 26.2.14, 26.4.10, 26.5.5 or later to remediate CVE-2026-2092, as recommended in the KeyCloak GHSA-794g-x443-36f7 security bulletin.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity targeting Keycloak endpoints, specifically looking for patterns indicative of exploitation attempts related to CVE-2026-2092.\u003c/li\u003e\n\u003cli\u003eDeploy a web application firewall (WAF) with rules to detect and block exploitation attempts targeting Keycloak.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-01T15:29:45Z","date_published":"2026-06-01T15:29:45Z","id":"https://feed.craftedsignal.io/briefs/2026-06-keycloak-vuln/","summary":"A vulnerability in Keycloak versions prior to 26.2.14, 26.4.10, and 26.5.5 allows an attacker to cause a breach of data confidentiality and bypass the security policy, as tracked by CVE-2026-2092.","title":"Keycloak Vulnerability Allows Data Confidentiality Breach and Security Policy Bypass","url":"https://feed.craftedsignal.io/briefs/2026-06-keycloak-vuln/"}],"language":"en","title":"CraftedSignal Threat Feed — Keycloak (26.5.x)","version":"https://jsonfeed.org/version/1.1"}