CVE-2026-9087
Published: 20 May 2026
Summary
CVE-2026-9087 is a medium-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability in Redhat Build Of Keycloak. Its CVSS base score is 6.4 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked at the 22.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-31134
Vulnerability details
A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume…
more
it and get linked to the victim's local account.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CWE-639 IDOR in Keycloak IdP account linking directly enables unauthorized account manipulation (T1098) via exploitation of a public-facing auth service (T1190).
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.