A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation tokens JSON Web Token (JWT) payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an unauthorized organization, leading to unauthorized access.
Weakness
The product does not verify, or incorrectly verifies, the cryptographic signature for data.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Red Hat build of Keycloak 26.2 | RedHat | rhbk/keycloak-operator-bundle:26.2.13-1 | * |
| Red Hat build of Keycloak 26.2 | RedHat | rhbk/keycloak-rhel9:26.2-15 | * |
| Red Hat build of Keycloak 26.2 | RedHat | rhbk/keycloak-rhel9-operator:26.2-15 | * |
| Red Hat build of Keycloak 26.2.13 | RedHat | rhbk/keycloak-rhel9 | * |
| Red Hat build of Keycloak 26.4 | RedHat | rhbk/keycloak-operator-bundle:26.4.9-1 | * |
| Red Hat build of Keycloak 26.4 | RedHat | rhbk/keycloak-rhel9:26.4-11 | * |
| Red Hat build of Keycloak 26.4 | RedHat | rhbk/keycloak-rhel9-operator:26.4-10 | * |
| Red Hat build of Keycloak 26.4.9 | RedHat | rhbk/keycloak-rhel9 | * |