CVE-2026-9087 Overview
CVE-2026-9087 is an authorization flaw in Keycloak's identity provider (IdP) account linking workflow. The cross-session verification proof is keyed only by the tuple of local userId and idpAlias. The proof is not bound to the upstream identity that was actually verified. As a result, a second upstream account on the same IdP can consume the proof and become linked to the victim's local Keycloak account. This weakness maps to CWE-639: Authorization Bypass Through User-Controlled Key. The flaw affects account federation flows where users link external IdP accounts to existing Keycloak identities.
Critical Impact
An attacker controlling a second account on the same upstream IdP can hijack the linking proof and attach their account to a victim's Keycloak identity, enabling persistent unauthorized access.
Affected Products
- Keycloak identity and access management server
- Red Hat build of Keycloak distributions
- Downstream products embedding the affected Keycloak account-linking code paths
Discovery Timeline
- 2026-05-20 - CVE-2026-9087 published to the National Vulnerability Database
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-9087
Vulnerability Analysis
Keycloak supports linking an upstream IdP account to a local Keycloak user through a flow that issues a cross-session verification proof. This proof confirms that the user completed an out-of-band verification with the upstream IdP before the link is committed. The vulnerability stems from how the proof is keyed. Keycloak indexes the proof using only (localUserId, idpAlias). It does not include the verified upstream subject identifier in the key or signature payload. An attacker who controls any other account on the same upstream IdP can therefore present the proof during the link step. Keycloak accepts the proof because both localUserId and idpAlias match the original verification, even though the upstream subject differs. The result is an unauthorized federation link between the attacker's upstream account and the victim's local Keycloak user.
Root Cause
The root cause is missing identity binding in the verification proof. The proof should incorporate the verified upstream subject identifier, such as the OpenID Connect sub claim or SAML NameID, in its lookup key or signed payload. Because that binding is absent, the proof is reusable across any upstream identity on the same IdP alias.
Attack Vector
Exploitation requires network access to the Keycloak account console, low privileges on a Keycloak account, and user interaction to trigger the linking ceremony. The attacker first observes or induces a victim to initiate IdP linking. The attacker then registers or uses a separate account on the same upstream IdP. When the attacker completes the link step, Keycloak retrieves the proof by (localUserId, idpAlias) and binds the attacker's upstream account to the victim's local user. The attacker can subsequently authenticate to the victim's Keycloak identity through the linked federation. Refer to the Red Hat CVE-2026-9087 Advisory and the Red Hat Bug Report #2480172 for vendor technical details.
Detection Methods for CVE-2026-9087
Indicators of Compromise
- Audit events of type FEDERATED_IDENTITY_LINK or IDENTITY_PROVIDER_LINK_ACCOUNT where the upstream subject identifier does not match prior successful authentications for the same local user.
- Multiple federated identity link events for the same local userId and idpAlias within a short window.
- Successful logins to a local account from an upstream subject that was never authorized by the legitimate user.
Detection Strategies
- Correlate Keycloak admin event logs with upstream IdP authentication logs to verify that the upstream sub value used during linking matches the value authenticated in the initiating session.
- Alert when a federated link is created and the upstream subject differs from the subject seen during the preceding verification step.
- Hunt for accounts that gained new federated identities outside of standard onboarding workflows.
Monitoring Recommendations
- Forward Keycloak admin and login events to a centralized log platform with retention sufficient for incident response.
- Track per-user counts of linked federated identities and alert on unexpected increases.
- Monitor IdP-side audit logs for accounts that complete linking ceremonies for users they have no business association with.
How to Mitigate CVE-2026-9087
Immediate Actions Required
- Apply the Keycloak security update referenced in the Red Hat CVE-2026-9087 Advisory as soon as it is available for your distribution.
- Audit existing federated identity links and remove any that cannot be attributed to a legitimate linking event.
- Require re-authentication and administrative review before any new IdP account links take effect in sensitive realms.
Patch Information
Consult the Red Hat CVE-2026-9087 Advisory and Red Hat Bug Report #2480172 for fixed component versions, errata identifiers, and upgrade instructions specific to your Keycloak or Red Hat build of Keycloak deployment.
Workarounds
- Disable self-service IdP account linking in the account console until patched, and route all linking through administrator-mediated workflows.
- Restrict identity provider aliases to IdPs that enforce strong account ownership verification and disallow easy creation of secondary accounts.
- Enforce step-up authentication and short session lifetimes for any flow that creates or modifies federated identity links.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
