2481877 – (CVE-2026-9704) CVE-2026-9704 keycloak: Keycloak: Privilege escalation due to oversized subject_token JWT

Bug 2481877 (CVE-2026-9704) - CVE-2026-9704 keycloak: Keycloak: Privilege escalation due to oversized subject_token JWT

Summary: CVE-2026-9704 keycloak: Keycloak: Privilege escalation due to oversized subje...

Keywords:
Status:	NEW
Alias:	CVE-2026-9704
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-05-27 12:41 UTC by OSIDB Bzimport
Modified:	2026-05-27 12:47 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-05-27 12:41:35 UTC

A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to fall back to client credentials. This allows the user to gain the permissions of the client's service account, leading to privilege escalation.

Note You need to log in before you can comment on or make changes to this bug.