CVE-2026-1529

HIGH

Keycloak 26.5.0-26.5.2 - Unauthenticated Organization Access via JWT Invitation Token Tampering

Title source: llm

Exploitation Summary

EIP tracks 3 public exploits for CVE-2026-1529. PoCs published by ninjazan420, 0x240x23elu, ackemed.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-1529, which allows unauthorized organization registration in Keycloak due to improper JWT token validation. The exploit manipulates the `org_id` and `email` fields in the JWT payload to register users in unauthorized organizations.

Description

A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token (JWT) payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an unauthorized organization, leading to unauthorized access.

Exploits (3)

nomisec WORKING POC 3 stars

by ninjazan420 · poc

https://github.com/ninjazan420/CVE-2026-1529-PoC-keycloak-unauthorized-registration-via-improper-invitation-token-validation

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-1529, which allows unauthorized organization registration in Keycloak due to improper JWT token validation. The exploit manipulates the `org_id` and `email` fields in the JWT payload to register users in unauthorized organizations.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Keycloak (org.keycloak.services.resources.organizations)

No auth needed

Prerequisites: Python 3.7 or higher · pip package manager · Target Keycloak instance

MITRE ATT&CK

T1189 - Drive-by Compromise T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC 1 stars

by 0x240x23elu · poc

https://github.com/0x240x23elu/CVE-2026-1529

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-1529 targeting Keycloak, demonstrating unauthorized access via JWT manipulation and HTTP request crafting. The exploit includes detailed setup guides, configuration options, and troubleshooting steps.

Classification

Working Poc 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Keycloak (version not specified)

No auth needed

Prerequisites: Python 3.7+ · requests >= 2.28.0 · urllib3 >= 2.0.0 · PyJWT >= 2.8.0

MITRE ATT&CK

T1189 - Drive-by Compromise T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 18, 2026 Full analysis →

nomisec WORKING POC

by ackemed · poc

https://github.com/ackemed/CVE-2026-1529-PoC-keycloak-unauthorized-registration-via-improper-invitation-token-validation

View Code ZIP pw:eip

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Keycloak (org.keycloak.services.resources.organizations)

No auth needed

Prerequisites: Python 3.7 or higher · pip package manager · target Keycloak instance URL

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Apr 09, 2026 Full analysis →

References (6)

Core 6

Core References

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2026:2363

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2026:2364

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2026:2365

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2026:2366

Vendor Advisory vdb-entry x_refsource_redhat

https://access.redhat.com/security/cve/CVE-2026-1529

Issue Tracking issue-tracking x_refsource_redhat

https://bugzilla.redhat.com/show_bug.cgi?id=2433783

Scores

CVSS v3 8.1

EPSS 0.0001

EPSS Percentile 1.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-347

Status published

Products (8)

org.keycloak/keycloak-services 26.5.0 - 26.5.3Maven

Red Hat/Red Hat build of Keycloak 26.2 26.2-15

Red Hat/Red Hat build of Keycloak 26.2 26.2.13-1

Red Hat/Red Hat build of Keycloak 26.2.13

Red Hat/Red Hat build of Keycloak 26.4 26.4-10

Red Hat/Red Hat build of Keycloak 26.4 26.4-11

Red Hat/Red Hat build of Keycloak 26.4 26.4.9-1

Red Hat/Red Hat build of Keycloak 26.4.9

Published Feb 09, 2026

Tracked Since Feb 18, 2026