ctipilot.ch

Keycloak JWT algorithm confusion -> federated-user impersonation (deep dive)

cve · CVE-2026-11800

Coverage timeline
1
first 2026-06-28 → last 2026-06-28
Briefs
1
1 distinct
Sources cited
10
7 hosts
Sections touched
1
deep_dive
Co-occurring entities
0
no co-occurrence

Story timeline

  1. 2026-06-28CTI Daily Brief — 2026-06-28
    deep_diveDeep dive. CVSS 8.1, CWE-347. Attacker with any valid client credential forges JWT-grant assertion to impersonate any federated user incl. admins. Keycloak 26.6.4 fixes 8 CVEs incl. CVE-2026-9800 policy-enforcer bypass, CVE-2026-9099 group->realm-admin. Maps T1550.001/T1556.006.

Where this entity is cited

  • deep_dive1

Source distribution

  • keycloak.org3 (30%)
  • wid.cert-bund.de2 (20%)
  • advisories.ncsc.nl1 (10%)
  • content.naic.org1 (10%)
  • github.com1 (10%)
  • techcrunch.com1 (10%)
  • vulncheck.com1 (10%)

External references

NVD · cve.org · CISA KEV

All cited sources (10)

Items in briefs about Keycloak JWT algorithm confusion -> federated-user impersonation (deep dive)

No parsed item heading or body matches this entity yet. Items match by exact CVE id (for CVE entities), by lead-segment substring of the title in the item heading or body, or by a distinctive anchor token from the title appearing in the item heading. Coverage that lives inside a broader section (no per-item heading) is captured by the Story timeline above.