Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

CVE-2026-14781: Improper Validation of Consistency within Input in Red Hat Red Hat Build of Keycloak

0
Medium
VulnerabilityCVE-2026-14781cvecve-2026-14781
Published: 07/05/2026 (07/05/2026, 06:55:30 UTC)
Source: CVE Database V5
Vendor/Project: Red Hat
Product: Red Hat Build of Keycloak

Description

CVE-2026-14781 is a medium severity vulnerability in Red Hat Build of Keycloak involving improper validation of the email_verified claim synchronization in the OIDC broker. When configured with trustEmail=true and the userinfo endpoint enabled, Keycloak may incorrectly mark arbitrary email addresses as verified due to a lack of consistency validation between the id_token and userinfo email claims. This can lead to bypassing email-based security controls and potential account takeover if relying solely on the email_verified flag from the identity provider.

CVSS v3.1

Score 4.8medium

Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/05/2026, 07:21:19 UTC

Technical Analysis

This vulnerability exists in the org.keycloak.broker.oidc package of Red Hat Build of Keycloak. The OIDC broker incorrectly synchronizes the email_verified claim by retrieving the email address from the userinfo endpoint but the email_verified status exclusively from the id_token without validating that both refer to the same email address. If these differ, the id_token's email_verified=true claim is blindly applied to the userinfo email, allowing an attacker who controls or has compromised the upstream OIDC provider to mark arbitrary email addresses as verified. Exploitation requires the OIDC identity provider to have trustEmail set to true (a non-default setting) and the userinfo endpoint enabled (default).

Potential Impact

An attacker controlling or compromising the upstream OIDC provider can cause Keycloak to mark arbitrary email addresses as verified. This undermines email-based security controls and verification workflows, potentially enabling account takeover if applications rely solely on the email_verified flag from the identity provider to link accounts. The CVSS 3.1 base score is 4.8 (medium), reflecting network attack vector, high attack complexity, no privileges required, no user interaction, and limited confidentiality and integrity impact.

Mitigation Recommendations

Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-14781 for current remediation guidance. Until an official fix is available, avoid enabling the trustEmail=true setting in the OIDC identity provider configuration or disable the userinfo endpoint if feasible. Additionally, do not rely solely on the email_verified claim from the identity provider for critical security decisions.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Data Version
5.2
Assigner Short Name
redhat
Date Reserved
2026-07-05T06:32:45.726Z
Cvss Version
3.1
State
PUBLISHED
Remediation Level
null
Vendor Advisory Urls
[{"url":"https://access.redhat.com/security/cve/CVE-2026-14781","vendor":"Red Hat"}]

Threat ID: 6a4a029b27e9c79719530df4

Added to database: 07/05/2026, 07:07:07 UTC

Last enriched: 07/05/2026, 07:21:19 UTC

Last updated: 07/05/2026, 08:12:51 UTC

Views: 22

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses