CVE-2026-9704— Keycloak: keycloak: privilege escalation due to oversized subject_token jwt
Possible ATT&CK Techniques 1AI
T1078 · Valid AccountsAffected Version Matrix 1
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Red Hat Build of Keycloak | any | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-9704
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Keycloak: keycloak: privilege escalation due to oversized subject_token jwt
Source: NVD (National Vulnerability Database)
Vulnerability Description
A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to fall back to client credentials. This allows the user to gain the permissions of the client's service account, leading to privilege escalation.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-1284
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Red Hat | Red Hat Build of Keycloak | - | cpe:/a:redhat:build_keycloak: |
II. Public POCs for CVE-2026-9704
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-9704
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-9704 (1)
- 🔗 2481877 – (CVE-2026-9704) CVE-2026-9704 keycloak: Keycloak: Privilege escalation due to oversized subject_token JWT Read full article issue-trackingx_refsource_REDHAT
Other References for CVE-2026-9704 (1)
Same Patch Batch · Red Hat · 2026-05-27 · 5 CVEs total
| CVE-2026-3012 | 8.0 HIGH | Samba: group policy certificate enrollment uses http:// without validation |
| CVE-2026-1933 | 7.1 HIGH | Samba: missing access check on reparse point operations |
| CVE-2026-2340 | 6.5 MEDIUM | Samba: vfs_worm does not block directory modification |
| CVE-2026-9689 | 4.2 MEDIUM | Keycloak: org.keycloak.protocol.oidc: http parameter pollution in oidc redirect uri allows |
IV. Related Vulnerabilities
Same product: Red Hat Build of Keycloak
- CVE-2026-9689
Keycloak: org.keycloak.protocol.oidc: http parameter polluti - CVE-2026-9087
Keycloak: cross-session email verification proof not bound t - CVE-2026-8922
Org.keycloak/keycloak-services: keycloak: org.keycloak.proto - CVE-2026-8830
Keycloak: org.keycloak/keycloak-services: keycloak: policy b - CVE-2026-7500
Org.keycloak.keycloak-services: improper access control on k
Same vendor: Red Hat
- CVE-2026-1933
Samba: missing access check on reparse point operations - CVE-2026-2340
Samba: vfs_worm does not block directory modification - CVE-2026-9689
Keycloak: org.keycloak.protocol.oidc: http parameter polluti - CVE-2026-3012
Samba: group policy certificate enrollment uses http:// with - CVE-2026-42013
Gnutls: gnutls: certificate validation bypass due to oversiz
Same weakness: CWE-1284
- CVE-2026-7254
Open BMC Denial of Service - CVE-2026-3676
There are multiple vulnerabilities in IBM DB2 bundled with I - CVE-2026-42744
WordPress Ads by WPQuads plugin <= 3.0.2 - Bypass Vulnerabil - CVE-2026-42732
WordPress Ads by WPQuads plugin <= 3.0.2 - Broken Authentica - CVE-2026-42013
Gnutls: gnutls: certificate validation bypass due to oversiz
V. Comments for CVE-2026-9704
No comments yet