Org.keycloak.services.resources.organizations: keycloak: unauthorized organization registration via improper invitation token validation

The core of this vulnerability lies in the insufficient validation of parameters within Keycloak's invitation token handling. An attacker can craft a malicious JWT by modifying the 'organization ID' and 'target email' fields within the token's payload. Because Keycloak fails to properly verify the cryptographic signature of the token, it accepts these modified values, allowing the attacker to effectively self-register into an organization they are not authorized to access. This bypasses the intended access control mechanisms. The potential impact is significant, ranging from unauthorized access to user data and administrative functions to potential data breaches and system compromise. This vulnerability shares similarities with other JWT manipulation attacks where inadequate validation of token claims leads to privilege escalation.

Organizations heavily reliant on Keycloak for identity and access management, particularly those using invitation-based user onboarding processes, are at significant risk. Shared hosting environments where multiple Keycloak instances share resources could amplify the impact if one instance is compromised.

• java / server: Monitor Keycloak audit logs for unusual self-registration events with unexpected organization IDs or email addresses. Use Java profilers to inspect JWT parsing and validation routines for anomalies. • generic web: Inspect Keycloak access logs for requests containing unusually formatted or modified JWT tokens. Look for patterns of repeated failed login attempts with different organization IDs. • database (mysql, postgresql): If Keycloak's user data is stored in a database, query the user table for newly created accounts with suspicious email addresses or organization affiliations.

1. 2026-02-09Disclosure

   disclosure

1. 予約済み2026-01-28
2. 公開日2026-02-09
3. 更新日2026-02-16
4. EPSS 更新日2026-03-23

The primary mitigation for CVE-2026-1529 is to upgrade Keycloak to a version containing the security patch. As a temporary workaround, consider implementing stricter input validation on the server-side to scrutinize the organization ID and target email parameters within invitation tokens. Additionally, implement a Web Application Firewall (WAF) rule to detect and block requests containing suspicious JWT payloads with altered organization IDs or email addresses. Regularly review Keycloak's audit logs for any unusual self-registration attempts. After upgrading, confirm the fix by attempting to craft and use a modified invitation token; it should be rejected.