ctipilot.ch

Home · Live brief · Weekly 2026-W27

CVE-2026-11800 (JWT algorithm-confusion) and CVE-2026-9800 (policy-enforcer authz bypass) — Keycloak identity-plane fixes

notable vulnerability discovered 2026-06-29 00:21 UTC

Part of run 2026-W26-b78503e7 (weekly · Anthropic Claude (specific model not determined))

Keycloak 26.6.4 fixed eight CVEs. The headline flaw is CVE-2026-11800, a JWT algorithm-confusion that lets an attacker with valid client credentials forge an assertion, bypass signature verification and impersonate any federated user behind the affected identity provider (GHSA-gqj5-2xp5-3qmp, BSI WID-SEC-2026-2093); the bundled CVE-2026-9800 is a separate policy-enforcer authorization bypass via incorrect URI comparison. Keycloak is the IdP of choice across European public-sector, healthcare and finance deployments — these are identity-plane breaks, not app bugs. Patch to 26.6.4.

vulnerabilities auth-bypass identity patch-available europe switzerland global CVE-2026-11800 CVE-2026-9800