CVE-2026-14781: Improper Validation of Consistency within Input in Red Hat Red Hat Build of Keycloak
CVE-2026-14781 is a medium severity vulnerability in Red Hat Build of Keycloak involving improper validation of the email_verified claim synchronization in the OIDC broker. When configured with trustEmail=true and the userinfo endpoint enabled, Keycloak may incorrectly mark arbitrary email addresses as verified due to a lack of consistency validation between the id_token and userinfo email claims. This can lead to bypassing email-based security controls and potential account takeover if relying solely on the email_verified flag from the identity provider.
AI Analysis
Technical Summary
This vulnerability exists in the org.keycloak.broker.oidc package of Red Hat Build of Keycloak. The OIDC broker incorrectly synchronizes the email_verified claim by retrieving the email address from the userinfo endpoint but the email_verified status exclusively from the id_token without validating that both refer to the same email address. If these differ, the id_token's email_verified=true claim is blindly applied to the userinfo email, allowing an attacker who controls or has compromised the upstream OIDC provider to mark arbitrary email addresses as verified. Exploitation requires the OIDC identity provider to have trustEmail set to true (a non-default setting) and the userinfo endpoint enabled (default).
Potential Impact
An attacker controlling or compromising the upstream OIDC provider can cause Keycloak to mark arbitrary email addresses as verified. This undermines email-based security controls and verification workflows, potentially enabling account takeover if applications rely solely on the email_verified flag from the identity provider to link accounts. The CVSS 3.1 base score is 4.8 (medium), reflecting network attack vector, high attack complexity, no privileges required, no user interaction, and limited confidentiality and integrity impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-14781 for current remediation guidance. Until an official fix is available, avoid enabling the trustEmail=true setting in the OIDC identity provider configuration or disable the userinfo endpoint if feasible. Additionally, do not rely solely on the email_verified claim from the identity provider for critical security decisions.
CVE-2026-14781: Improper Validation of Consistency within Input in Red Hat Red Hat Build of Keycloak
Description
CVE-2026-14781 is a medium severity vulnerability in Red Hat Build of Keycloak involving improper validation of the email_verified claim synchronization in the OIDC broker. When configured with trustEmail=true and the userinfo endpoint enabled, Keycloak may incorrectly mark arbitrary email addresses as verified due to a lack of consistency validation between the id_token and userinfo email claims. This can lead to bypassing email-based security controls and potential account takeover if relying solely on the email_verified flag from the identity provider.
CVSS v3.1
Score 4.8medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability exists in the org.keycloak.broker.oidc package of Red Hat Build of Keycloak. The OIDC broker incorrectly synchronizes the email_verified claim by retrieving the email address from the userinfo endpoint but the email_verified status exclusively from the id_token without validating that both refer to the same email address. If these differ, the id_token's email_verified=true claim is blindly applied to the userinfo email, allowing an attacker who controls or has compromised the upstream OIDC provider to mark arbitrary email addresses as verified. Exploitation requires the OIDC identity provider to have trustEmail set to true (a non-default setting) and the userinfo endpoint enabled (default).
Potential Impact
An attacker controlling or compromising the upstream OIDC provider can cause Keycloak to mark arbitrary email addresses as verified. This undermines email-based security controls and verification workflows, potentially enabling account takeover if applications rely solely on the email_verified flag from the identity provider to link accounts. The CVSS 3.1 base score is 4.8 (medium), reflecting network attack vector, high attack complexity, no privileges required, no user interaction, and limited confidentiality and integrity impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-14781 for current remediation guidance. Until an official fix is available, avoid enabling the trustEmail=true setting in the OIDC identity provider configuration or disable the userinfo endpoint if feasible. Additionally, do not rely solely on the email_verified claim from the identity provider for critical security decisions.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-07-05T06:32:45.726Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-14781","vendor":"Red Hat"}]
Threat ID: 6a4a029b27e9c79719530df4
Added to database: 07/05/2026, 07:07:07 UTC
Last enriched: 07/05/2026, 07:21:19 UTC
Last updated: 07/05/2026, 08:12:51 UTC
Views: 22
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.