CVEFinder.io

CVE-2026-8830

πŸ”Ά medium
πŸ” Scan for this CVE
Summary

A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that the newly created credential's parameters, such as public key algorithms, match the realm's configured WebAuthn policies. This could lead to the creation of credentials that do not adhere to administrative security requirements, potentially weakening the overall

Description

A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that the newly created credential's parameters, such as public key algorithms, match the realm's configured WebAuthn policies. This could lead to the creation of credentials that do not adhere to administrative security requirements, potentially weakening the overall security posture of the system by allowing non-compliant authentication methods.

CVSS Score
4.3
Medium
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-19
First Seen: 2026-05-20
πŸ“Š Relative Risk Intelligence

This CVE is Lower Risk - more severe than 5.4% of all 326,604 vulnerabilities in our database.

#308,897
Below average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 19, 2026
πŸ” Exploitation Status
None
No known exploits
βš™οΈ Automatable
NO
Requires human interaction
πŸ’₯ Technical Impact
Partial
Limited system impact
πŸ† Discovered By
Red Hat would like to thank Martin BartoΕ‘ (RedHat) for reporting this issue.
SSVC data provided by CISA
Last Modified 2026-06-02
Source NVD πŸ”—
CVSS Vector 3.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CWE IDs (Weakness Types)
CWE-603

πŸ“¦ Affected Products 1

Vendor Product Status Affected Versions
redhat build_of_keycloak Affected
v-

πŸ”— References 2

https://access.redhat.com/security/cve/CVE-2026-8830
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2479565
Issue Tracking Vendor Advisory

πŸ”— Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-9791 πŸ”Ά medium 4.3 0.0 A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by acces... 2026-05-28
CVE-2026-9792 πŸ”Ά medium 6.5 0.0 A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When cer... 2026-05-28
CVE-2026-9793 πŸ”Ά medium 5.9 0.0 A flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incor... 2026-05-28
CVE-2026-9794 πŸ”Ά medium 5.3 0.0 A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially cra... 2026-05-28
CVE-2026-9795 ⚠️ high 7.3 0.0 A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client man... 2026-05-28
CVE-2026-9796 πŸ”Ά medium 6.5 0.0 A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check ... 2026-05-28
These CVEs affect the same products