CVE-2026-16093
Keycloak-services: keycloak-services: required signed-jwt assertion policy can be bypassed with unsigned assertion headers
CVSS Score
5.4
EPSS Score
0.0%
EPSS Percentile
0th
Keycloak provides a mechanism called Client Policies to enforce security requirements on clients, such as requiring them to use signed JWTs for authentication. A flaw was discovered where this enforcement can be bypassed. An attacker with valid client credentials can provide a fake, unsigned assertion header that tricks the system into thinking the policy requirements have been met. This allows the attacker to authenticate using simpler methods like a client secret even when the administrator has mandated more secure, signed assertions.
| CWE | CWE-807 |
| Vendor | red hat |
| Product | red hat build of keycloak |
| Published | Jul 17, 2026 |
Stay Ahead of the Next One
Get instant alerts for red hat red hat build of keycloak
Be the first to know when new medium vulnerabilities affecting red hat red hat build of keycloak are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
Red Hat / Red Hat Build of Keycloak
All versions affected Red Hat / Red Hat Build of Keycloak
All versions affected Red Hat / Red Hat Build of Keycloak
All versions affected Red Hat / Red Hat Data Grid 8
All versions affected Red Hat / Red Hat JBoss Enterprise Application Platform Expansion Pack
All versions affected Red Hat / Red Hat Single Sign-On 7
All versions affected References
Credits
Red Hat would like to thank Paul Bottinelli (Trail of Bits) for reporting this issue.