CVE-2026-9704 - Vulnerability Details - OpenCVE

A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to fall back to client credentials. This allows the user to gain the permissions of the client's service account, leading to privilege escalation.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Build Keycloak

No data.

No data.

No data.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-9704
https://bugzilla.redhat.com/show_bug.cgi?id=2481877

History

Wed, 27 May 2026 14:15:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to fall back to client credentials. This allows the user to gain the permissions of the client's service account, leading to privilege escalation.
Title		Keycloak: keycloak: privilege escalation due to oversized subject_token jwt
First Time appeared		Redhat Redhat build Keycloak
Weaknesses		CWE-1284
CPEs		cpe:/a:redhat:build_keycloak:
Vendors & Products		Redhat Redhat build Keycloak
References		https://access.redhat.com/security/cve/CVE-2026-9704 https://bugzilla.redhat.com/show_bug.cgi?id=2481877
Metrics		cvssV3_1 `{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N'}`

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-05-27T12:56:00.858Z

Updated: 2026-05-27T12:56:00.858Z

Reserved: 2026-05-27T12:39:12.284Z

Link: CVE-2026-9704

Vulnrichment

No data.

NVD

Status : Awaiting Analysis

Published: 2026-05-27T14:17:40.480

Modified: 2026-05-27T14:54:20.160

Link: CVE-2026-9704

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-9704", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-05-27T12:39:12.284Z", "datePublished": "2026-05-27T12:56:00.858Z", "dateUpdated": "2026-05-27T12:56:00.858Z"}, "containers": {"cna": {"title": "Keycloak: keycloak: privilege escalation due to oversized subject_token jwt", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to fall back to client credentials. This allows the user to gain the permissions of the client's service account, leading to privilege escalation."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:build_keycloak:"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-9704", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481877", "name": "RHBZ#2481877", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-05-27T12:45:59.735Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-1284", "description": "Improper Validation of Specified Quantity in Input", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-1284: Improper Validation of Specified Quantity in Input", "workarounds": [{"lang": "en", "value": "To prevent the silent dropping of oversized `subject_token` JWTs, configure Keycloak to enforce strict parameter validation. This involves setting the `fail-fast` parameter to `true` for the `TokenEndpoint` configuration, which will cause requests with oversized parameters to be rejected explicitly rather than silently processed with reduced privileges. Consult Keycloak documentation for the exact method to modify these settings. A restart of the Keycloak service may be necessary for the changes to apply."}], "timeline": [{"lang": "en", "time": "2026-05-27T12:27:13.702Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-05-27T12:45:59.735Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Filip Jovanov (PegasusMKD) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-05-27T12:56:00.858Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}}}