CVE-2026-9793 Overview
CVE-2026-9793 is a signature verification flaw in Keycloak affecting JSON Web Encryption (JWE) request object processing. When a client submits a JWE-encrypted request object whose decrypted payload contains raw JSON, Keycloak processes the unsigned claims and bypasses the configured signature policy. A remote attacker can submit unauthorized claims into the OpenID Connect (OIDC) authorization flow, undermining data integrity. The redirect URI allowlist provides partial compensating control, but the behavior violates OIDC Core and Financial-grade API (FAPI) signing requirements. The weakness is categorized under [CWE-347] Improper Verification of Cryptographic Signature.
Critical Impact
Remote attackers can inject unsigned claims into OIDC authorization requests, breaking the integrity guarantees required by OIDC Core and FAPI profiles.
Affected Products
- Red Hat Keycloak (see vendor advisory for affected versions)
- Red Hat Single Sign-On / Red Hat build of Keycloak
- Upstream Keycloak deployments processing JWE-encrypted OIDC request objects
Discovery Timeline
- 2026-05-28 - CVE-2026-9793 published to NVD
- 2026-05-28 - Last updated in NVD database
Technical Details for CVE-2026-9793
Vulnerability Analysis
Keycloak accepts OIDC request objects delivered as JWE-encrypted payloads. The OIDC Core specification requires request objects to be signed, and FAPI profiles enforce strict signature validation. The vulnerable code path decrypts the JWE and, when the resulting plaintext is raw JSON rather than a nested JWS, treats the contained claims as trusted input. This skips signature verification entirely.
An attacker who can encrypt a request object to the authorization server's public key can therefore submit arbitrary claims without holding any signing key. Because confidentiality (encryption) is conflated with authenticity (signature), the OIDC trust model collapses for that request. The redirect URI allowlist limits where authorization codes can be returned, which reduces but does not eliminate impact on data integrity.
Root Cause
The root cause is missing enforcement of the configured signature policy when a decrypted JWE contains raw JSON instead of a signed JWT. Keycloak should require an inner JWS before honoring claims, but the conditional branch accepts unsigned content as valid.
Attack Vector
Exploitation requires network access to the Keycloak authorization endpoint and knowledge of the realm's JWE encryption key, which is published in the OIDC discovery document. The attacker crafts a JWE wrapping a raw JSON object, submits it as a request parameter, and observes Keycloak honoring the unsigned claims. No prior authentication is required, though attack complexity is elevated because the exploit must align with a client configured for JWE request objects.
No verified proof-of-concept code is published. Refer to the Red Hat CVE-2026-9793 Advisory and Red Hat Bug #2482460 Details for vendor technical details.
Detection Methods for CVE-2026-9793
Indicators of Compromise
- Authorization requests containing a request parameter where the JWE plaintext is raw JSON rather than a nested signed JWT
- OIDC authorization flows where claim values in issued tokens diverge from those expected for the registered client
- Repeated authorization attempts from a single source iterating over client_id values with JWE request objects
Detection Strategies
- Inspect Keycloak event logs for CODE_TO_TOKEN and LOGIN events tied to clients configured with request.object.encryption.alg set, then correlate with anomalous claim content
- Add a reverse-proxy or WAF rule that parses incoming JWE request objects post-decryption (where feasible) and rejects payloads lacking an inner JWS header
- Compare claim values in authorization requests against the static client configuration to flag mismatched redirect_uri, scope, or acr_values
Monitoring Recommendations
- Forward Keycloak admin and event logs to a centralized analytics platform and alert on signature validation warnings tied to request objects
- Track baseline volumes of JWE-based authorization requests per client and alert on sudden growth from unfamiliar source IPs
- Audit FAPI-profiled clients on every release for adherence to signed-then-encrypted request object policy
How to Mitigate CVE-2026-9793
Immediate Actions Required
- Apply the Keycloak update referenced in the Red Hat CVE-2026-9793 Advisory as soon as a fixed build is available for your distribution
- Audit all OIDC clients that permit JWE request objects and confirm whether they truly require encryption-only delivery
- Tighten redirect URI allowlists to exact-match values to preserve the compensating control
Patch Information
Red Hat tracks the fix under Red Hat Bug #2482460 Details. Consult the vendor advisory for the specific Keycloak and Red Hat build of Keycloak versions that contain the corrected signature enforcement logic.
Workarounds
- Disable JWE-encrypted request objects on clients that do not require them by clearing request.object.encryption.alg in the client configuration
- Require signed request objects by setting request.object.signature.alg to an approved algorithm such as PS256 or ES256 and reject clients that submit unsigned payloads
- Restrict network access to the Keycloak authorization endpoint to known client networks where operationally feasible
# Example: enforce signed request objects on a Keycloak client via kcadm
kcadm.sh update clients/<client-uuid> -r <realm> \
-s 'attributes."request.object.signature.alg"=PS256' \
-s 'attributes."request.object.required"=request_only'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
