This advisory covers a set of 14 security vulnerabilities in Red Hat build of Keycloak 26.6.3, a standalone authentication and single sign-on server. The vulnerabilities include unauthorized token acquisition (CVE-2026-9792), privilege escalation via oversized JWT tokens (CVE-2026-9704), denial of service through malformed LDAP responses and authorization headers (CVE-2026-9801, CVE-2026-9803), data leaks after feature disablement (CVE-2026-9791), information disclosure through SAML ECP endpoint and CORS header injection (CVE-2026-9794, CVE-2026-37977), unauthorized account access via replayed refresh tokens (CVE-2026-9802), bypasses in email verification and WebAuthn registration (CVE-2026-9087, CVE-2026-8830), improper access control when account API is disabled (CVE-2026-7500), and server-side request forgery via OIDC token endpoint manipulation (CVE-2026-4874). These vulnerabilities impact authentication, authorization, and data confidentiality in Keycloak deployments. Red Hat has issued an update to address these issues.

The vulnerabilities collectively allow attackers to bypass security restrictions, escalate privileges, cause denial of service, leak sensitive organizational and user data, gain unauthorized account access, and perform server-side request forgery attacks. These impacts can compromise the confidentiality, integrity, and availability of authentication services provided by Keycloak, potentially affecting web and mobile applications relying on it for single sign-on and identity management.

Red Hat has released updated packages for Red Hat build of Keycloak 26.6.3 that address these vulnerabilities. Users should back up their existing installations, including applications, configuration files, and databases, before applying the update. Applying the official Red Hat update is the recommended remediation. Patch status is confirmed by the vendor advisory. No additional mitigations or workarounds are specified in the advisory.