CVE-2026-9704 Overview
CVE-2026-9704 is a privilege escalation vulnerability in Keycloak's TokenEndpoint. An authenticated user with low privileges can submit a subject_token JSON Web Token (JWT) that exceeds a 4000-character limit. Keycloak silently drops the oversized token and falls back to client credentials authentication. The request then executes with the permissions of the client's service account.
The flaw is categorized as Improper Validation of Specified Quantity in Input [CWE-1284]. It affects token exchange flows where service accounts hold broader privileges than the original requesting user.
Critical Impact
An authenticated low-privilege user can obtain the permissions of a client service account, bypassing intended authorization boundaries on the Keycloak TokenEndpoint.
Affected Products
- Red Hat Keycloak (see Red Hat CVE-2026-9704 Advisory)
- Red Hat Build of Keycloak
- Upstream Keycloak deployments performing token exchange via the TokenEndpoint
Discovery Timeline
- 2026-05-27 - CVE CVE-2026-9704 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-9704
Vulnerability Analysis
The vulnerability resides in Keycloak's TokenEndpoint handling of the subject_token parameter during token exchange. Keycloak enforces a 4000-character ceiling on the inbound JWT. When a submitted token crosses that boundary, the endpoint discards it instead of rejecting the request with an authentication error.
After dropping the token, the endpoint continues processing using the client credentials supplied in the same request. The resulting access token is issued under the client's service account identity rather than the original user's identity. An authenticated low-privilege user who controls a client with a more powerful service account can therefore escalate to those service account permissions.
Root Cause
The defect is an input quantity validation error [CWE-1284]. Keycloak fails secure-by-default on oversized token input — it silently drops the value rather than aborting the authentication flow. The downstream authentication logic does not distinguish between a request that legitimately omits subject_token and one where the token was discarded for exceeding length limits.
Attack Vector
Exploitation requires network access to the TokenEndpoint and valid low-privilege client credentials. The attacker crafts a token exchange request containing a subject_token longer than 4000 characters along with legitimate client credentials. Keycloak drops the oversized JWT, falls back to the client_credentials grant path, and issues a token bound to the service account. The attacker then calls protected resources using the elevated token. No user interaction is required, and attack complexity is high because the attacker must control a client whose service account holds higher privileges than their own user identity.
No verified public proof-of-concept code is available. See the Red Hat Bug ID #2481877 for vendor technical detail.
Detection Methods for CVE-2026-9704
Indicators of Compromise
- TokenEndpoint requests containing subject_token parameters longer than 4000 characters from low-privilege clients.
- Access tokens issued with service account subjects shortly after token exchange requests from non-service-account users.
- Unexpected use of client service account identities against downstream resource servers.
Detection Strategies
- Inspect Keycloak access logs and audit events for token exchange requests where the issued token principal differs from the authenticated user.
- Alert on HTTP POST requests to /realms/*/protocol/openid-connect/token with Content-Length headers indicating oversized payloads combined with grant_type=urn:ietf:params:oauth:grant-type:token-exchange.
- Correlate user authentication events with subsequent service account token issuance within the same session.
Monitoring Recommendations
- Enable Keycloak event listener logging for TOKEN_EXCHANGE and CLIENT_LOGIN events and forward them to a SIEM for correlation.
- Baseline normal subject_token lengths in your environment and alert on outliers above 3500 characters.
- Monitor service account token usage patterns and flag bursts of activity that follow unrelated user authentications.
How to Mitigate CVE-2026-9704
Immediate Actions Required
- Apply vendor patches as soon as they are available from Red Hat. Track status via the Red Hat CVE-2026-9704 Advisory.
- Audit existing Keycloak clients and remove unnecessary roles from client service accounts, especially where token exchange is enabled.
- Review token exchange policies and disable the feature on clients that do not require it.
Patch Information
Refer to the Red Hat CVE-2026-9704 Advisory for fixed package versions and errata. Red Hat Bugzilla entry #2481877 tracks the upstream fix.
Workarounds
- Restrict access to the TokenEndpoint at the network or reverse proxy layer and enforce a maximum request body size below the 4000-character threshold to surface errors instead of silent fallback.
- Disable the token-exchange feature on clients where it is not strictly required.
- Apply the principle of least privilege to all client service accounts so that fallback authentication cannot yield elevated permissions.
# Example: enforce request size limits at an NGINX reverse proxy in front of Keycloak
location /realms/ {
client_max_body_size 8k;
proxy_pass http://keycloak_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
