Keycloak 26.6.3 — 16 CVEs in the EU public sector's reference IAM, led by token-exchange privilege escalation and SSRF [SINGLE-SOURCE vendor advisory]

Released 2026-06-04 (Keycloak; deep-dived 2026-06-07 daily). CVE-2026-9704 is a privilege escalation in OAuth 2.0 token exchange: a low-privilege client omits the subject_token parameter and Keycloak issues a token under the requesting client's identity rather than rejecting the malformed request, enabling lateral movement between service identities (T1550.001). CVE-2026-4874 turns the OIDC token endpoint into an SSRF primitive, giving an attacker who can reach the endpoint a pivot into internal services Keycloak is permitted to contact. Additional CVEs of note: CVE-2026-8830 (missing server-side WebAuthn attestation validation — undermines phishing-resistant MFA enrolment assurance); CVE-2026-9802 (restart resets startupTime, allowing replay of rotated refresh tokens). No in-the-wild exploitation reported; patch-priority for any internet-reachable Keycloak underpinning e-government SSO or SAML federation. Detection: alert on token_exchange events in the Keycloak event log where subject_token is absent but a token is issued; watch for outbound connections from the Keycloak service host to non-allow-listed internal addresses correlated with token-endpoint requests.