Keycloak JWE Request Object Processing Vulnerability Bypassing Signature Policy

Vulnerability

A vulnerability exists in Keycloak's handling of JSON Web Encryption (JWE) encrypted request objects. When the decrypted content is raw JSON, Keycloak may improperly process unsigned claims, ignoring the established signature policy. This flaw enables remote attackers to introduce unauthorized claims, jeopardizing data integrity in the OpenID Connect (OIDC) authorization process. Although a redirect URI allowlist provides some mitigation, this issue contravenes OIDC Core and Financial-grade API (FAPI) signing standards.

Impact

Exploiting this vulnerability allows attackers to bypass the request object signature algorithm policy, potentially leading to unauthorized claims being processed in the OIDC authorization flow. This manipulation of claims can disrupt the integrity of the authorization process, although the redirect URI allowlist may prevent complete exfiltration of authorization codes or tokens.

Added: May 28, 2026, 5:56 AM

Updated: May 28, 2026, 5:56 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

5.4

remediation

7.9

relevance

9.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

0.6

exploitability

5.4

remediation

7.9

relevance

9.7

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Keycloak JWE Request Object Processing Vulnerability Bypassing Signature Policy

Vulnerability

Impact

Affected Products

Keycloak

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating