{
  "entrypoint_kind": "api_remote",
  "entrypoint_detail": "Keycloak OIDC token endpoint with grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "keycloak-26.6.3-docker",
    "keycloak-26.6.4-docker",
    "python-client-container"
  ],
  "proof_artifacts": [
    "logs/reproduction_steps.log",
    "logs/vulnerable/exploit.log",
    "logs/vulnerable/forged_jwt.txt",
    "logs/vulnerable/request.txt",
    "logs/vulnerable/response_status.txt",
    "logs/vulnerable/response_body.json",
    "logs/vulnerable/access_token.json",
    "logs/fixed/exploit.log",
    "logs/fixed/response_status.txt",
    "logs/fixed/response_body.json",
    "logs/vuln_keycloak.log",
    "logs/fixed_keycloak.log"
  ],
  "notes": "CVE-2026-11800: HS256 algorithm confusion in JWT Authorization Grant. Vulnerable 26.6.3 accepts forged HS256 assertion signed with RSA public key bytes as HMAC secret, issuing access token for federated user. Fixed 26.6.4 rejects with Invalid signature algorithm."
}