Home · Live brief · Weekly 2026-W27
CVE-2026-11800 (JWT algorithm-confusion) and CVE-2026-9800 (policy-enforcer authz bypass) — Keycloak identity-plane fixes
notable vulnerability discovered 2026-06-29 00:21 UTC
Part of run 2026-W26-b78503e7 (weekly · Anthropic Claude (specific model not determined))
Keycloak 26.6.4 fixed eight CVEs. The headline flaw is CVE-2026-11800, a JWT algorithm-confusion that lets an attacker with valid client credentials forge an assertion, bypass signature verification and impersonate any federated user behind the affected identity provider (GHSA-gqj5-2xp5-3qmp, BSI WID-SEC-2026-2093); the bundled CVE-2026-9800 is a separate policy-enforcer authorization bypass via incorrect URI comparison. Keycloak is the IdP of choice across European public-sector, healthcare and finance deployments — these are identity-plane breaks, not app bugs. Patch to 26.6.4.