Red Hat build of Keycloak
Moderate fix2 remedies
cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*
Moderate fix2 remedies
- >= 26.2, < 26.2.13
- >= 26.4, < 26.4.9
Keycloak Invitation Token Vulnerability Allows Unauthorized Organization Registration
Vulnerability
Patched
A vulnerability in Keycloak's invitation token validation process allows unauthorized organization registration. The issue arises because invitation tokens are processed without verifying their cryptographic signatures. An attacker can modify the organization ID and target email in a legitimate invitation token's JSON Web Token (JWT) payload, enabling them to self-register in an unauthorized organization.
Impact
Exploitation of this vulnerability allows unauthorized users to register in organizations they do not belong to, potentially leading to unauthorized access and privileges within those organizations.
Reproduction
To reproduce this vulnerability, obtain a legitimate invitation token and remove the cryptographic signature verification. Then, modify the organization ID and target email in the token's JWT payload before using it to register an account.
Remediation
Users can upgrade to the latest Red Hat build of Keycloak, version 26.4.9, which addresses this vulnerability.
Added: Feb 9, 2026, 8:32 PM
Updated: Feb 10, 2026, 2:41 AM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
5.0exploitability
6.6remediation
7.7relevance
2.9threat
1.6urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.