{
  "repository": "https://github.com/keycloak/keycloak",
  "commit_source": "image_build_metadata",
  "commit_sha": "d343c7373dcc7bfeb9dc14de2309836299c81837",
  "submitted_target": {
    "target_kind": "container_image",
    "version": "26.6.3",
    "ref": "quay.io/keycloak/keycloak:26.6.3",
    "image_id": "sha256:9b0330756022422149aa6502eb2def8cd47c6e1b000c7c65cdb13e7c0133e992",
    "image_created": "2026-06-25T08:22:13.134332876Z",
    "oci_image_revision_label": "be9ce7fa2cecc897d47e8922ba9e6b86cee881b0",
    "oci_image_source_label": "https://github.com/keycloak-rel/keycloak-rel",
    "display": "quay.io/keycloak/keycloak:26.6.3 (vulnerable)"
  },
  "variant_target": {
    "target_kind": "container_image",
    "commit_sha": "d343c7373dcc7bfeb9dc14de2309836299c81837",
    "version": "26.6.4",
    "ref": "quay.io/keycloak/keycloak:26.6.4",
    "image_id": "sha256:0aae0de7fca85525f727d3354df17896092de8bb26ae4c12d89c77e5df8cbce4",
    "image_created": "2026-07-01T08:49:26.634985437Z",
    "oci_image_revision_label": "be9ce7fa2cecc897d47e8922ba9e6b86cee881b0",
    "oci_image_source_label": "https://github.com/keycloak-rel/keycloak-rel",
    "display": "quay.io/keycloak/keycloak:26.6.4 (fixed)"
  },
  "fix_commit": {
    "sha": "d343c7373dcc7bfeb9dc14de2309836299c81837",
    "pr": "https://github.com/keycloak/keycloak/pull/50374",
    "title": "Remove support for symmetric algorithms in JWT public key validators",
    "closes_issue": "https://github.com/keycloak/keycloak/issues/50357"
  },
  "runtime_features_enabled": "token-exchange,admin-fine-grained-authz:v1",
  "notes": "Both vulnerable and fixed targets were tested as Docker images from quay.io/keycloak/keycloak (Red Hat Build of Keycloak). The upstream Keycloak fix commit d343c7373dcc7bfeb9dc14de2309836299c81837 (PR #50374) is the code change that makes the 26.6.4 image reject the forged HS256 subject_token; it was inspected directly via git (clone of github.com/keycloak/keycloak at that commit). The OCI image labels report org.opencontainers.image.revision=be9ce7fa2cecc897d47e8922ba9e6b86cee881b0 and source=https://github.com/keycloak-rel/keycloak-rel (the release-packaging repo), which is the same for both 26.6.3 and 26.6.4 tags; the authoritative source-level fix identity is the upstream keycloak commit d343c7373dcc7bfeb9dc14de2309836299c81837. Image build metadata captured in bundle/logs/vuln_variant/image_metadata.txt."
}
