CVE-2026-14781 Overview
CVE-2026-14781 is a flaw in the org.keycloak.broker.oidc package that mishandles the email_verified claim during OpenID Connect (OIDC) identity brokering. When an OIDC identity provider is configured with trustEmail=true and the userinfo endpoint is enabled, Keycloak retrieves the email address from the userinfo response but pulls the email_verified status exclusively from the id_token. The broker does not confirm that both sources reference the same email address. This allows a compromised or malicious upstream OIDC provider to mark arbitrary email addresses as verified inside Keycloak.
Critical Impact
An attacker controlling an upstream OIDC provider can flag arbitrary emails as verified, bypass email-based security checks, and potentially take over accounts linked by email in downstream applications.
Affected Products
- Red Hat Keycloak (org.keycloak.broker.oidc package)
- Red Hat build of Keycloak
- Downstream distributions embedding the affected Keycloak OIDC broker
Discovery Timeline
- 2026-07-05 - CVE-2026-14781 published to the National Vulnerability Database (NVD)
- 2026-07-06 - Last updated in NVD database
Technical Details for CVE-2026-14781
Vulnerability Analysis
The vulnerability is an improper synchronization of authoritative identity claims across two OIDC endpoints [CWE-1288]. Keycloak's OIDC broker treats the email claim from the userinfo endpoint and the email_verified claim from the id_token as if they describe the same subject email. No cross-check is performed to confirm the two claims refer to the same address.
When trustEmail=true is configured on the identity provider, Keycloak persists the verified status directly into its user database and skips its own verification workflow. Downstream applications that rely on Keycloak's stored email_verified flag to link or authorize accounts inherit this incorrect trust decision.
Root Cause
The root cause is missing validation between two OIDC response sources. The id_token may legitimately assert email_verified=true for one address while the userinfo endpoint returns a different address. Because the broker applies the boolean flag without matching the underlying email string, the trust assertion is silently transferred to an unrelated address.
Attack Vector
Exploitation requires three preconditions: the OIDC identity provider must be configured with trustEmail=true (non-default), the userinfo endpoint must be enabled (default), and the attacker must control or have compromised the upstream OIDC provider. Under those conditions, the malicious provider issues an id_token containing email_verified=true for an attacker-owned address while returning a victim's email in the userinfo response. Keycloak then stores the victim address with the verified flag set. Applications that federate identities using the email as a primary linking key may grant access to the attacker.
No verified public proof-of-concept has been published. See the Red Hat CVE-2026-14781 Advisory and Red Hat Bug Report #2497118 for vendor technical details.
Detection Methods for CVE-2026-14781
Indicators of Compromise
- Keycloak user records where the stored email value does not match the email claim in the most recent id_token received from the federated OIDC provider.
- Broker login events in which the userinfo response email and id_token email differ for the same authentication transaction.
- Sudden changes to emailVerified=true on accounts linked via OIDC brokering without a corresponding Keycloak verification email flow.
Detection Strategies
- Enable Keycloak event logging for IDENTITY_PROVIDER_LOGIN and IDENTITY_PROVIDER_FIRST_LOGIN and compare token claims against persisted user attributes.
- Audit all configured identity providers for the trustEmail setting and flag any set to true.
- Correlate authentication logs to identify OIDC providers returning inconsistent email values between id_token and userinfo responses.
Monitoring Recommendations
- Forward Keycloak event streams to a centralized log platform and alert on discrepancies between token and userinfo email claims.
- Monitor administrative changes to identity provider configurations, particularly toggles of trustEmail.
- Track authentication flows that create or link accounts using externally supplied email_verified values.
How to Mitigate CVE-2026-14781
Immediate Actions Required
- Inventory all OIDC identity provider configurations in Keycloak and disable trustEmail unless the upstream provider is fully trusted and audited.
- Apply the fixed Keycloak release as published in the Red Hat CVE-2026-14781 Advisory once available for your distribution.
- Re-run Keycloak's built-in email verification for accounts linked from OIDC providers where trustEmail=true was previously enabled.
Patch Information
Refer to the Red Hat CVE-2026-14781 Advisory and Red Hat Bug Report #2497118 for the authoritative list of fixed Keycloak versions and downstream product updates. The remediation enforces that the email_verified claim only applies when the id_token and userinfo endpoint return the same email address.
Workarounds
- Set trustEmail=false on affected OIDC identity providers to force Keycloak to run its own email verification workflow.
- Disable use of the userinfo endpoint on brokered OIDC providers where the id_token already carries sufficient claims.
- Configure account-linking logic in downstream applications to require an additional verification step beyond the email_verified flag returned by Keycloak.
# Example: disable trustEmail on a Keycloak OIDC identity provider using kcadm
kcadm.sh update identity-provider/instances/<alias> \
-r <realm> \
-s 'config.trustEmail="false"'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

