Security Advisory

CVE-2026-9087

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2026-05-20 16:13:03

Last updated 2026-05-21 14:02:09

Assigner redhat

State PUBLISHED

Description

A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victims local account.

← Browse all CVEs View on cve.org ↗