CVE-2026-1529 HIGH

CVE-2026-1529: Org.keycloak.services.resources.organizations: keycloak: unauthorized organization registration via improper invitation token validation

Vendor Red Hat
Product Red Hat build of Keycloak 26.2.13
Weakness CWE-347
Published February 9, 2026
Last update June 30, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token (JWT) payload. This lack of cryptographic signature verification allows the attacker to successfully self-register into an unauthorized organization, leading to unauthorized access.

Key dates

02Disclosure timeline

February 9, 2026 CVE published
June 30, 2026 Record updated