CVE-2026-1529: Keycloak vulnerability allows unauthorized organization registration via improper invitation token validation

February 11, 2026 at 05:59

Quality: 8/10 Relevance: 9/10

Summary

CVE-2026-1529 is a high-severity vulnerability in Keycloak that allows an attacker to self-register in an unauthorized organization by tampering the invitation token payload without proper JWT signature verification. The CVSS score is 8.1 (High). Mitigations include validating JWT signatures, updating to patched Keycloak versions, auditing invitation token generation, and enforcing strict organization-registration controls; PoCs are publicly available.

Read Original Article