Red Hat build of Keycloak
Moderate fix2 remedies
cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*
Moderate fix2 remedies
- >= 26.2.11, < 26.4.4
Keycloak WebAuthn Attestation Verification Bypass Vulnerability
Vulnerability
Patched
A vulnerability exists in Keycloak's WebAuthn registration component, allowing attackers to bypass attestation policies and register untrusted or forged authenticators. This is achieved by submitting an attestation object with 'fmt: "none"', even when the realm requires direct attestation. The flaw can weaken authentication integrity and lead to unauthorized registration of authenticators.
Impact
Exploitation of this vulnerability can bypass attestation requirements, allowing the registration of authenticators that should be considered untrusted. This could undermine the integrity of the authentication process by enabling the use of forged or unauthorized authentication devices.
Reproduction
To reproduce this vulnerability, initiate WebAuthn registration with 'none' attestation allowed. When the registration page appears, change the attestation preference to 'direct'. Complete the registration process, which will be accepted despite not providing the required attestation. This behavior indicates the vulnerability, as Keycloak should have rejected the registration under the current attestation policy.
Remediation
Users can upgrade to the Red Hat build of Keycloak 26.4.4, which includes the fix for this vulnerability.
Added: Feb 27, 2026, 9:24 AM
Updated: Feb 27, 2026, 2:24 PM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
3.1exploitability
4.9remediation
7.7relevance
3.5threat
1.6urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.