CVE-2026-11800 (JWT algorithm-confusion) and CVE-2026-9800 (policy-enforcer authz bypass) — Keycloak identity-plane fixes

Keycloak 26.6.4 fixed eight CVEs. The headline flaw is CVE-2026-11800, a JWT algorithm-confusion that lets an attacker with valid client credentials forge an assertion, bypass signature verification and impersonate any federated user behind the affected identity provider (GHSA-gqj5-2xp5-3qmp, BSI WID-SEC-2026-2093); the bundled CVE-2026-9800 is a separate policy-enforcer authorization bypass via incorrect URI comparison. Keycloak is the IdP of choice across European public-sector, healthcare and finance deployments — these are identity-plane breaks, not app bugs. Patch to 26.6.4.