Skip to content
Verified reproduction

CVE-2026-11800: Keycloak JWT algorithm confusion privilege escalation

CVE-2026-11800 is verified against keycloak/keycloak · github affected versions: Keycloak < 26.6.4 (26.6.x line) fixed version: 26.6.4 vulnerability class: Privilege Escalation This high reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00243.

REPRO-2026-00243 keycloak/keycloak · github Privilege Escalation Variant found Jul 6, 2026 .txt
Severity HIGH
Confidence HIGH
Reproduced in 46m 0s
Tool calls 281
Spend $7.18
Affected Keycloak < 26.6.4 (26.6.x line)
Fixed in 26.6.4
$ pruva-verify REPRO-2026-00243
or curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00243/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh
Run in a VM or disposable container. This exploits a real vulnerability.
02 · The vulnerability

A flaw in Keycloak creates a JWT algorithm confusion vulnerability in the JWT Authorizer. An attacker can craft a JWT using a different algorithm to bypass authorization and escalate privileges. Reproduce: run a vulnerable Keycloak build, create a crafted JWT using algorithm confusion (e.g., HS256/RS256 confusion), present it to the Authorizer, and gain unauthorized access.

03 · Root cause
Variant analysis
04 · Reproduction transcript

The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.

Loading session...

05 · Artifacts

Scripts, logs, diffs, and output captured during the reproduction.

bundle/artifact_promotion_manifest.json17.6 KB
bundle/vuln_variant/source_identity.json2.4 KB
bundle/vuln_variant/root_cause_equivalence.json2.8 KB
bundle/repro/reproduction_steps.sh17.2 KB
bundle/repro/rca_report.md12.5 KB
bundle/repro/runtime_manifest.json1.1 KB
bundle/logs/vulnerable/response_body.json1.4 KB
bundle/logs/fixed/response_body.json0.1 KB
bundle/logs/vulnerable/access_token.json2.2 KB
bundle/logs/vulnerable/forged_jwt.txt0.3 KB
bundle/repro/validation_verdict.json0.9 KB
bundle/logs/reproduction_steps.log11.6 KB
bundle/logs/vulnerable/exploit.log0.8 KB
bundle/logs/vulnerable/request.txt0.5 KB
bundle/logs/vulnerable/response_status.txt0.0 KB
bundle/logs/fixed/exploit.log0.7 KB
bundle/logs/fixed/response_status.txt0.0 KB
bundle/logs/vuln_keycloak.log2.7 KB
bundle/logs/fixed_keycloak.log3.2 KB
bundle/vuln_variant/reproduction_steps.sh9.4 KB
bundle/logs/vuln_variant/vulnerable/access_token.json2.3 KB
bundle/logs/vuln_variant/fixed/response_body.json0.1 KB
bundle/vuln_variant/variant_manifest.json6.3 KB
bundle/vuln_variant/validation_verdict.json2.9 KB
bundle/vuln_variant/rca_report.md15.2 KB
bundle/vuln_variant/patch_analysis.md8.4 KB
bundle/vuln_variant/runtime_manifest.json1.9 KB
bundle/logs/vuln_variant/reproduction_steps.log3.3 KB
bundle/logs/vuln_variant/exploit_run.log7.7 KB
bundle/logs/vuln_variant/vulnerable/exploit.log1.5 KB
bundle/logs/vuln_variant/vulnerable/forged_subject_token.txt0.3 KB
bundle/logs/vuln_variant/vulnerable/request.txt0.6 KB
bundle/logs/vuln_variant/vulnerable/response_status.txt0.0 KB
bundle/logs/vuln_variant/vulnerable/response_body.json1.6 KB
bundle/logs/vuln_variant/fixed/exploit.log1.1 KB
bundle/logs/vuln_variant/fixed/forged_subject_token.txt0.3 KB
bundle/logs/vuln_variant/fixed/request.txt0.6 KB
bundle/logs/vuln_variant/fixed/response_status.txt0.0 KB
bundle/logs/vuln_variant/vuln_keycloak.log2.9 KB
bundle/logs/vuln_variant/fixed_keycloak.log3.7 KB
bundle/logs/vuln_variant/image_metadata.txt2.9 KB