The vulnerability in Red Hat Build of Keycloak involves improper verification of cryptographic signatures when processing JWE encrypted request objects. If the decrypted content is raw JSON, Keycloak may incorrectly accept unsigned claims, bypassing the configured signature policy. This enables a remote attacker to submit unauthorized claims, compromising data integrity within the OpenID Connect authorization process. Although a redirect URI allowlist provides some mitigation, this behavior violates OIDC Core and FAPI signing requirements. The CVSS 3.1 base score is 5.9, reflecting a medium severity with network attack vector, high attack complexity, no privileges required, no user interaction, unchanged scope, no confidentiality impact, high integrity impact, and no availability impact. No patch or official remediation guidance is currently provided by Red Hat.

The vulnerability allows remote attackers to bypass signature verification in Keycloak's handling of JWE encrypted requests, leading to unauthorized claims being accepted. This compromises the integrity of the OpenID Connect authorization flow, potentially allowing unauthorized access or manipulation of authorization data. There is no impact on confidentiality or availability reported. The presence of a redirect URI allowlist acts as a compensating control but does not fully mitigate the violation of OIDC and FAPI signing requirements.

As of the current Red Hat advisory, no official patch or remediation level has been announced. Users should monitor the Red Hat advisory page for updates on fixes. The existing redirect URI allowlist provides a compensating control but does not fully mitigate the vulnerability. Organizations should review their Keycloak configurations and consider additional compensating controls until an official fix is released. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.