CVE-2026-9087 PUBLISHED

Keycloak: cross-session email verification proof not bound to upstream identity in first-broker-login

Assigner: redhat
Reserved: 20.05.2026 Published: 20.05.2026 Updated: 21.05.2026

A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local account.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
CVSS Score: 6.4

Attack Vector	Network	Scope	Unchanged
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Red Hat
Product	Red Hat Build of Keycloak
Versions	Default: affected

Workarounds

To mitigate this issue, configure the affected identity provider to set trustEmail=true. This ensures that Keycloak trusts the email address provided by the upstream identity provider, bypassing the vulnerable verification flow. This mitigation should only be applied if the upstream identity provider is fully trusted to verify email addresses and prevent malicious account creation with existing email addresses. Configuration changes may require a Keycloak service restart or reload to take effect.

References

Problem Types

Authorization Bypass Through User-Controlled Key CWE