Improper Certificate Validation Affecting org.keycloak:keycloak-services package, versions [0,]
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JAVA-ORGKEYCLOAK-16351886
- published3 May 2026
- disclosed13 Apr 2026
- creditUnknown
Introduced: 13 Apr 2026
CVE-2026-6856 (opens in a new tab)How to fix?
A fix was pushed into the master branch but not yet published.
Overview
org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services.
Affected versions of this package are vulnerable to Improper Certificate Validation via packed self-attestation in WebAuthn registration. An attacker can bypass the AAGUID allowlist by returning self-attestation when direct attestation is requested, as the AAGUID is not verified in this case, allowing registration with an unapproved authenticator.
The attack surface is limited, as project maintainers note: "By default, for a simple implementation, attestation and AAGUIDs may not be considered necessary."