CVE-2026-8830— Keycloak: org.keycloak/keycloak-services: keycloak: policy bypass during webauthn credential registration via client-side javascript manipulation
Affected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Red Hat Build of Keycloak | any | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-8830
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Keycloak: org.keycloak/keycloak-services: keycloak: policy bypass during webauthn credential registration via client-side javascript manipulation
Source: NVD (National Vulnerability Database)
Vulnerability Description
A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that the newly created credential's parameters, such as public key algorithms, match the realm's configured WebAuthn policies. This could lead to the creation of credentials that do not adhere to administrative security requirements, potentially weakening the overall security posture of the system by allowing non-compliant authentication methods.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
使用客户端的认证机制
Source: NVD (National Vulnerability Database)
Vulnerability Title
Keycloak 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Keycloak是Keycloak开源的一种开源身份和访问管理解决方案。 Keycloak存在安全漏洞,该漏洞源于服务端processAction未验证新凭证参数,可能导致绕过WebAuthn策略创建不合规凭证。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Red Hat | Red Hat Build of Keycloak | - | cpe:/a:redhat:build_keycloak: |
II. Public POCs for CVE-2026-8830
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-8830
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-8830 (2)
Same Patch Batch · Red Hat · 2026-05-19 · 11 CVEs total
| CVE-2026-7504 | 8.1 HIGH | Org.keycloak/keycloak-services: open redirect when using wildcard valid redirect uris in k |
| CVE-2026-7507 | 7.5 HIGH | Org.keycloak/keycloak-services: session fixation in oidc login flow that can lead to accou |
| CVE-2026-7307 | 7.5 HIGH | Keycloak: keycloak: denial of service via specially crafted saml input |
| CVE-2026-7571 | 7.1 HIGH | Keycloak: keycloak: access token disclosure and implicit flow bypass via forged client dat |
| CVE-2026-37982 | 6.8 MEDIUM | Keycloak: org.keycloak.authentication: keycloak: unauthorized account takeover via webauth |
| CVE-2026-4630 | 6.8 MEDIUM | Keycloak: keycloak: unauthorized resource access and data modification via insecure direct |
| CVE-2026-37979 | 6.5 MEDIUM | Keycloak: keycloak: information disclosure via oidc token introspection endpoint audience |
| CVE-2026-8922 | 5.4 MEDIUM | Org.keycloak/keycloak-services: keycloak: org.keycloak.protocol.oidc: security flaw in org |
| CVE-2026-37978 | 4.9 MEDIUM | Keycloak: org.keycloak.services: keycloak: information disclosure via evaluate-scopes admi |
| CVE-2026-37981 | 4.3 MEDIUM | Keycloak: org.keycloak.authorization: keycloak: information disclosure via broken access c |
IV. Related Vulnerabilities
Same product: Red Hat Build of Keycloak
- CVE-2026-9704
Keycloak: keycloak: privilege escalation due to oversized su - CVE-2026-9689
Keycloak: org.keycloak.protocol.oidc: http parameter polluti - CVE-2026-9087
Keycloak: cross-session email verification proof not bound t - CVE-2026-8922
Org.keycloak/keycloak-services: keycloak: org.keycloak.proto - CVE-2026-7500
Org.keycloak.keycloak-services: improper access control on k
Same vendor: Red Hat
- CVE-2026-9704
Keycloak: keycloak: privilege escalation due to oversized su - CVE-2026-1933
Samba: missing access check on reparse point operations - CVE-2026-2340
Samba: vfs_worm does not block directory modification - CVE-2026-9689
Keycloak: org.keycloak.protocol.oidc: http parameter polluti - CVE-2026-3012
Samba: group policy certificate enrollment uses http:// with
Same weakness: CWE-603
- CVE-2026-42098
Authorization Bypass in Sparx Enterprise Architect - CVE-2026-40551
Use of Client-Side Authentication in mpGabinet - CVE-2025-30042
Session generation possible with certificate number only - CVE-2026-1363
JNC|IAQS and I6 - Client-Side Enforcement of Server-Side Sec - CVE-2025-64119
Nuvation Energy BMS Client-side Authentication
V. Comments for CVE-2026-8830
No comments yet