logo

Database

Lack of data validation In org.keycloak:keycloak-services

Description

Keycloak affected by improper invitation token validation A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token (JWT) payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an unauthorized organization, leading to unauthorized access.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-15292. NVD-2026-15293. OSV-2026-15294. GCVE-2026-15295. access.redhat.com6. access.redhat.com7. access.redhat.com8. access.redhat.com9. ACCESS-CVE-2026-1529

References

1. https://github.com/keycloak/keycloak/issues/461452. https://github.com/keycloak/keycloak/pull/461553. https://github.com/keycloak/keycloak/commit/82cd7941d1dd28fa14a67a6e6b912301f1a5e1a14. https://github.com/keycloak/keycloak/commit/8fc9a98026106a326f4faa98d4c9a48341ace2d75. https://github.com/keycloak/keycloak/commit/b2519756487b519f95c07aa8b10afe003e4921196. https://bugzilla.redhat.com/show_bug.cgi?id=2433783

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.