Platform
java
Component
keycloak
Fixed in
*
CVE-2026-1529 is a security vulnerability discovered in Keycloak, a popular open-source identity and access management solution. This flaw allows attackers to bypass authentication controls by manipulating JSON Web Tokens (JWTs) used in invitation processes. Successful exploitation can lead to unauthorized access to Keycloak organizations, potentially compromising sensitive data and system resources. All Keycloak versions prior to the currently available patch are affected.
The core of this vulnerability lies in the insufficient validation of parameters within Keycloak's invitation token handling. An attacker can craft a malicious JWT by modifying the 'organization ID' and 'target email' fields within the token's payload. Because Keycloak fails to properly verify the cryptographic signature of the token, it accepts these modified values, allowing the attacker to effectively self-register into an organization they are not authorized to access. This bypasses the intended access control mechanisms. The potential impact is significant, ranging from unauthorized access to user data and administrative functions to potential data breaches and system compromise. This vulnerability shares similarities with other JWT manipulation attacks where inadequate validation of token claims leads to privilege escalation.
CVE-2026-1529 was publicly disclosed on 2026-02-09. The EPSS score is currently pending evaluation. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature suggests a relatively low barrier to exploitation once a valid invitation token is obtained. It has not yet been added to the CISA KEV catalog.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-1529 is to upgrade Keycloak to a version containing the security patch. As a temporary workaround, consider implementing stricter input validation on the server-side to scrutinize the organization ID and target email parameters within invitation tokens. Additionally, implement a Web Application Firewall (WAF) rule to detect and block requests containing suspicious JWT payloads with altered organization IDs or email addresses. Regularly review Keycloak's audit logs for any unusual self-registration attempts. After upgrading, confirm the fix by attempting to craft and use a modified invitation token; it should be rejected.
Update Keycloak to a version that includes the fix for this vulnerability. Refer to Red Hat security advisories (RHSA-2026:2363, RHSA-2026:2364, RHSA-2026:2365) for more details and specific upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1529 is a HIGH severity vulnerability in Keycloak allowing attackers to manipulate invitation tokens, enabling unauthorized self-registration and access.
Yes, if you are running Keycloak versions prior to the patched version (*), you are affected by this vulnerability.
Upgrade Keycloak to the latest patched version. As a temporary workaround, implement stricter input validation and WAF rules.
While no active exploitation has been confirmed, the vulnerability's nature suggests a relatively low barrier to exploitation.
Refer to the official Keycloak security advisories on the Keycloak website for detailed information and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.