CVE Catalog

CVE-2026-9704

MediumCVSS 6.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.32%

24th percentile - higher than 24% of all known CVEs

Summary

A flaw was found in Keycloak where an authenticated user with low privileges can send an oversized JWT token to the TokenEndpoint. When the token exceeds 4000 characters, it is silently dropped, causing the system to fall back to client credentials, allowing privilege escalation.

Risk Assessment

The risk involves privilege escalation by a low-privileged user, potentially leading to unauthorized access to resources and sensitive data within the organization.

Recommendation

It is recommended to immediately update Keycloak to a patched version and implement JWT token length validation mechanisms at the application level.

Original NVD description (English source)

A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to fall back to client credentials. This allows the user to gain the permissions of the client's service account, leading to privilege escalation.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS