{
  "entrypoint_kind": "api_remote",
  "entrypoint_detail": "Keycloak OIDC token endpoint external-internal token exchange (grant_type=urn:ietf:params:oauth:grant-type:token-exchange, subject_token_type=urn:ietf:params:oauth:token-type:jwt, subject_issuer=<oidc-idp>)",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": ["keycloak-26.6.3-docker", "keycloak-26.6.4-docker", "python-client-container"],
  "features_enabled": "token-exchange,admin-fine-grained-authz:v1",
  "proof_artifacts": [
    "logs/vuln_variant/reproduction_steps.log",
    "logs/vuln_variant/exploit_run.log",
    "logs/vuln_variant/vulnerable/exploit.log",
    "logs/vuln_variant/vulnerable/forged_subject_token.txt",
    "logs/vuln_variant/vulnerable/request.txt",
    "logs/vuln_variant/vulnerable/response_status.txt",
    "logs/vuln_variant/vulnerable/response_body.json",
    "logs/vuln_variant/vulnerable/access_token.json",
    "logs/vuln_variant/fixed/exploit.log",
    "logs/vuln_variant/fixed/forged_subject_token.txt",
    "logs/vuln_variant/fixed/request.txt",
    "logs/vuln_variant/fixed/response_status.txt",
    "logs/vuln_variant/fixed/response_body.json",
    "logs/vuln_variant/vuln_keycloak.log",
    "logs/vuln_variant/fixed_keycloak.log",
    "logs/vuln_variant/image_metadata.txt"
  ],
  "variant_verdict": "alternate_trigger",
  "notes": "CVE-2026-11800 alternate-trigger variant via OIDC external-internal token exchange. Same root cause (HardcodedPublicKeyLoader HMAC branch) reached from a different entry point (subject_token token exchange) that does NOT pass through AbstractBaseJWTValidator.validateSignatureAlgorithm (the fix's Layer 1 algorithm-type gate); only Layer 2 (HardcodedPublicKeyLoader HMAC removal) covers it. Vulnerable 26.6.3 accepts forged HS256 subject_token and issues an access token for the impersonated federated user; fixed 26.6.4 rejects (HMAC branch removed -> key not found -> invalid token)."
}
