2 matches found
CVE-2026-16093 Keycloak-services: keycloak-services: required signed-jwt assertion policy can be bypassed with unsigned assertion headers
Keycloak provides a mechanism called Client Policies to enforce security requirements on clients, such as requiring them to use signed JWTs for authentication. A flaw was discovered where this enforcement can be bypassed. An attacker with valid client credentials can provide a fake, unsigned...
CVE-2026-16093
CVE-2026-16093 affects Keycloak’s Client Policies by allowing bypass of the requirement to use signed JWTs. A flaw lets an attacker with valid client credentials submit a fake, unsigned assertion header, making the system think policy requirements are met and enabling authentication with simpler ...