Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-7507 (GCVE-0-2026-7507)
Vulnerability from cvelistv5 – Published: 2026-05-19 11:01 – Updated: 2026-05-20 15:48
VLAI?
EPSS
Title
Org.keycloak/keycloak-services: session fixation in oidc login flow that can lead to account takeover
Summary
A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint—which processes session handles without adequate CSRF protection or cookie ownership validation—an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim's credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts.
Severity ?
7.5 (High)
CWE
- CWE-290 - Authentication Bypass by Spoofing
Assigner
References
6 references
| URL | Tags |
|---|---|
| https://access.redhat.com/errata/RHSA-2026:19594 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:19595 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:19596 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/errata/RHSA-2026:19597 | vendor-advisoryx_refsource_REDHAT |
| https://access.redhat.com/security/cve/CVE-2026-7507 | vdb-entryx_refsource_REDHAT |
| https://bugzilla.redhat.com/show_bug.cgi?id=2464145 | issue-trackingx_refsource_REDHAT |
Impacted products
8 products
| Vendor | Product | Version | |
|---|---|---|---|
| Red Hat | Red Hat build of Keycloak 26.2 |
Unaffected:
26.2.16-1 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.2::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.2 |
Unaffected:
26.2-21 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.2::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.2 |
Unaffected:
26.2-21 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.2::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.2.16 |
cpe:/a:redhat:build_keycloak:26.2::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.4 |
Unaffected:
26.4.12-1 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.4::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.4 |
Unaffected:
26.4-17 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.4::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.4 |
Unaffected:
26.4-17 , < *
(rpm)
cpe:/a:redhat:build_keycloak:26.4::el9 |
|
| Red Hat | Red Hat build of Keycloak 26.4.12 |
cpe:/a:redhat:build_keycloak:26.4::el9 |
Date Public ?
2026-05-19 10:51
Credits
Red Hat would like to thank Hacking Team (Calif.io) for reporting this issue.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-7507",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-19T13:40:38.753128Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-19T13:40:46.890Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.2::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-operator-bundle",
"product": "Red Hat build of Keycloak 26.2",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.2.16-1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.2::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.2",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.2-21",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.2::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9-operator",
"product": "Red Hat build of Keycloak 26.2",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.2-21",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.2::el9"
],
"defaultStatus": "unaffected",
"packageName": "rhbk/keycloak-rhel9-operator",
"product": "Red Hat build of Keycloak 26.2.16",
"vendor": "Red Hat"
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-operator-bundle",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4.12-1",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4-17",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://catalog.redhat.com/software/containers/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "affected",
"packageName": "rhbk/keycloak-rhel9-operator",
"product": "Red Hat build of Keycloak 26.4",
"vendor": "Red Hat",
"versions": [
{
"lessThan": "*",
"status": "unaffected",
"version": "26.4-17",
"versionType": "rpm"
}
]
},
{
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"cpes": [
"cpe:/a:redhat:build_keycloak:26.4::el9"
],
"defaultStatus": "unaffected",
"packageName": "rhbk/keycloak-rhel9-operator",
"product": "Red Hat build of Keycloak 26.4.12",
"vendor": "Red Hat"
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Hacking Team (Calif.io) for reporting this issue."
}
],
"datePublic": "2026-05-19T10:51:31.418Z",
"descriptions": [
{
"lang": "en",
"value": "A session fixation vulnerability was found in Keycloak\u0027s login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint\u2014which processes session handles without adequate CSRF protection or cookie ownership validation\u2014an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim\u0027s credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts."
}
],
"metrics": [
{
"other": {
"content": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"value": "Important"
},
"type": "Red Hat severity rating"
}
},
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-290",
"description": "Authentication Bypass by Spoofing",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-20T15:48:23.138Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2026:19594",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19594"
},
{
"name": "RHSA-2026:19595",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19595"
},
{
"name": "RHSA-2026:19596",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19596"
},
{
"name": "RHSA-2026:19597",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2026:19597"
},
{
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/security/cve/CVE-2026-7507"
},
{
"name": "RHBZ#2464145",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464145"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-30T14:57:56.441Z",
"value": "Reported to Red Hat."
},
{
"lang": "en",
"time": "2026-05-19T10:51:31.418Z",
"value": "Made public."
}
],
"title": "Org.keycloak/keycloak-services: session fixation in oidc login flow that can lead to account takeover",
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."
}
],
"x_generator": {
"engine": "cvelib 1.8.0"
},
"x_redhatCweChain": "CWE-290: Authentication Bypass by Spoofing"
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2026-7507",
"datePublished": "2026-05-19T11:01:25.443Z",
"dateReserved": "2026-04-30T14:58:15.177Z",
"dateUpdated": "2026-05-20T15:48:23.138Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-7507",
"date": "2026-05-25",
"epss": "0.00021",
"percentile": "0.06065"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-7507\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2026-05-19T12:16:19.687\",\"lastModified\":\"2026-05-20T17:16:28.883\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A session fixation vulnerability was found in Keycloak\u0027s login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint\u2014which processes session handles without adequate CSRF protection or cookie ownership validation\u2014an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim\u0027s credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-290\"}]}],\"references\":[{\"url\":\"https://access.redhat.com/errata/RHSA-2026:19594\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:19595\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:19596\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2026:19597\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/security/cve/CVE-2026-7507\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2464145\",\"source\":\"secalert@redhat.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-7507\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-19T13:40:38.753128Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-19T13:40:43.278Z\"}}], \"cna\": {\"title\": \"Org.keycloak/keycloak-services: session fixation in oidc login flow that can lead to account takeover\", \"credits\": [{\"lang\": \"en\", \"value\": \"Red Hat would like to thank Hacking Team (Calif.io) for reporting this issue.\"}], \"metrics\": [{\"other\": {\"type\": \"Red Hat severity rating\", \"content\": {\"value\": \"Important\", \"namespace\": \"https://access.redhat.com/security/updates/classification/\"}}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.2::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.2\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"26.2.16-1\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"rhbk/keycloak-operator-bundle\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.2::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.2\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"26.2-21\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"rhbk/keycloak-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.2::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.2\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"26.2-21\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"rhbk/keycloak-rhel9-operator\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.2::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.2.16\", \"packageName\": \"rhbk/keycloak-rhel9-operator\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.4::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.4\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"26.4.12-1\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"rhbk/keycloak-operator-bundle\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.4::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.4\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"26.4-17\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"rhbk/keycloak-rhel9\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.4::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.4\", \"versions\": [{\"status\": \"unaffected\", \"version\": \"26.4-17\", \"lessThan\": \"*\", \"versionType\": \"rpm\"}], \"packageName\": \"rhbk/keycloak-rhel9-operator\", \"collectionURL\": \"https://catalog.redhat.com/software/containers/\", \"defaultStatus\": \"affected\"}, {\"cpes\": [\"cpe:/a:redhat:build_keycloak:26.4::el9\"], \"vendor\": \"Red Hat\", \"product\": \"Red Hat build of Keycloak 26.4.12\", \"packageName\": \"rhbk/keycloak-rhel9-operator\", \"collectionURL\": \"https://access.redhat.com/downloads/content/package-browser/\", \"defaultStatus\": \"unaffected\"}], \"timeline\": [{\"lang\": \"en\", \"time\": \"2026-04-30T14:57:56.441Z\", \"value\": \"Reported to Red Hat.\"}, {\"lang\": \"en\", \"time\": \"2026-05-19T10:51:31.418Z\", \"value\": \"Made public.\"}], \"datePublic\": \"2026-05-19T10:51:31.418Z\", \"references\": [{\"url\": \"https://access.redhat.com/errata/RHSA-2026:19594\", \"name\": \"RHSA-2026:19594\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:19595\", \"name\": \"RHSA-2026:19595\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:19596\", \"name\": \"RHSA-2026:19596\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2026:19597\", \"name\": \"RHSA-2026:19597\", \"tags\": [\"vendor-advisory\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://access.redhat.com/security/cve/CVE-2026-7507\", \"tags\": [\"vdb-entry\", \"x_refsource_REDHAT\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=2464145\", \"name\": \"RHBZ#2464145\", \"tags\": [\"issue-tracking\", \"x_refsource_REDHAT\"]}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.\"}], \"x_generator\": {\"engine\": \"cvelib 1.8.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"A session fixation vulnerability was found in Keycloak\u0027s login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint\\u2014which processes session handles without adequate CSRF protection or cookie ownership validation\\u2014an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim\u0027s credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-290\", \"description\": \"Authentication Bypass by Spoofing\"}]}], \"providerMetadata\": {\"orgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"shortName\": \"redhat\", \"dateUpdated\": \"2026-05-20T15:48:23.138Z\"}, \"x_redhatCweChain\": \"CWE-290: Authentication Bypass by Spoofing\"}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-7507\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-20T15:48:23.138Z\", \"dateReserved\": \"2026-04-30T14:58:15.177Z\", \"assignerOrgId\": \"53f830b8-0a3f-465b-8143-3b8a9948e749\", \"datePublished\": \"2026-05-19T11:01:25.443Z\", \"assignerShortName\": \"redhat\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-7507
Vulnerability from fkie_nvd - Published: 2026-05-19 12:16 - Updated: 2026-05-20 17:16
Severity ?
Summary
A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint—which processes session handles without adequate CSRF protection or cookie ownership validation—an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim's credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A session fixation vulnerability was found in Keycloak\u0027s login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint\u2014which processes session handles without adequate CSRF protection or cookie ownership validation\u2014an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim\u0027s credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts."
}
],
"id": "CVE-2026-7507",
"lastModified": "2026-05-20T17:16:28.883",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.6,
"impactScore": 5.9,
"source": "secalert@redhat.com",
"type": "Secondary"
}
]
},
"published": "2026-05-19T12:16:19.687",
"references": [
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2026:19594"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2026:19595"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2026:19596"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/errata/RHSA-2026:19597"
},
{
"source": "secalert@redhat.com",
"url": "https://access.redhat.com/security/cve/CVE-2026-7507"
},
{
"source": "secalert@redhat.com",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464145"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Undergoing Analysis",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-290"
}
],
"source": "secalert@redhat.com",
"type": "Secondary"
}
]
}
GHSA-HF67-5VVQ-FM3R
Vulnerability from github – Published: 2026-05-19 12:31 – Updated: 2026-05-20 18:31
VLAI?
Details
A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint—which processes session handles without adequate CSRF protection or cookie ownership validation—an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim's credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts.
Severity ?
7.5 (High)
{
"affected": [],
"aliases": [
"CVE-2026-7507"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-19T12:16:19Z",
"severity": "HIGH"
},
"details": "A session fixation vulnerability was found in Keycloak\u0027s login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint\u2014which processes session handles without adequate CSRF protection or cookie ownership validation\u2014an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim\u0027s credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts.",
"id": "GHSA-hf67-5vvq-fm3r",
"modified": "2026-05-20T18:31:32Z",
"published": "2026-05-19T12:31:42Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7507"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19594"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19595"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19596"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2026:19597"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2026-7507"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464145"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
RHSA-2026:19594
Vulnerability from csaf_redhat - Published: 2026-05-20 11:23 - Updated: 2026-05-20 16:08Summary
Red Hat Security Advisory: Red Hat build of Keycloak 26.2.16 Security Update
Severity
Important
Notes
Topic: New Red Hat build of Keycloak 26.2.16 packages are available from the Customer Portal
Details: Red Hat build of Keycloak 26.2.16 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
Security fixes:
* Denial of Service via specially crafted SAML input (CVE-2026-7307)
* Session fixation in OIDC login flow that can lead to account takeover (CVE-2026-7507)
* Open redirect when using wildcard valid redirect URIs in Keycloak (CVE-2026-7504)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS) where the server becomes unavailable.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.2.16
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.2::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information within the domain or facilitating further attacks. This vulnerability specifically affects Keycloak clients configured with a wildcard (*) in the "Valid Redirect URIs" field and requires user interaction to be successfully exploited. The issue stems from a discrepancy in how Keycloak and the underlying Java URI implementation handle the user-info component of a URL. If a malicious redirect URL is constructed using multiple @ characters in the user-info section, Java's URI parser fails to extract the user-info, leaving only the raw authority field. Consequently, Keycloak's validation check fails to detect the malformed user-info, falls back to a wildcard comparison, and incorrectly permits the malicious redirect.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.2.16
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.2::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint—which processes session handles without adequate CSRF protection or cookie ownership validation—an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim's credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.2.16
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.2::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
15 references
Acknowledgments
Anchels
Intapp
João Mendes
Duarte Antunes
Calif.io
Hacking Team
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New Red Hat build of Keycloak 26.2.16 packages are available from the Customer Portal",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat build of Keycloak 26.2.16 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nSecurity fixes:\n* Denial of Service via specially crafted SAML input (CVE-2026-7307)\n* Session fixation in OIDC login flow that can lead to account takeover (CVE-2026-7507)\n* Open redirect when using wildcard valid redirect URIs in Keycloak (CVE-2026-7504)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:19594",
"url": "https://access.redhat.com/errata/RHSA-2026:19594"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_19594.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Keycloak 26.2.16 Security Update",
"tracking": {
"current_release_date": "2026-05-20T16:08:53+00:00",
"generator": {
"date": "2026-05-20T16:08:53+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2026:19594",
"initial_release_date": "2026-05-20T11:23:33+00:00",
"revision_history": [
{
"date": "2026-05-20T11:23:33+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-05-20T11:23:33+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-20T16:08:53+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Keycloak 26.2.16",
"product": {
"name": "Red Hat build of Keycloak 26.2.16",
"product_id": "Red Hat build of Keycloak 26.2.16",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:build_keycloak:26.2::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Keycloak"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Anchels"
]
}
],
"cve": "CVE-2026-7307",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2026-05-12T16:20:11.587000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2476526"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS) where the server becomes unavailable.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Denial of Service via specially crafted SAML input",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is a High severity denial of service vulnerability in Keycloak. An unauthenticated attacker with network access can send specially crafted XML input to the SAML endpoint, causing high CPU utilization and worker thread exhaustion, which renders the Keycloak server unavailable. This directly impacts the availability of Keycloak instances where the SAML protocol is enabled.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.2.16"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-7307"
},
{
"category": "external",
"summary": "RHBZ#2476526",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2476526"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-7307",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7307"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-7307",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7307"
}
],
"release_date": "2026-05-19T10:42:34.560000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T11:23:33+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.2.16"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19594"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, restrict network access to the Keycloak SAML endpoint to trusted networks and clients. Implement firewall rules to limit inbound connections to the Keycloak service port (e.g., 8080) from untrusted sources. If the SAML protocol is not required for your deployment, consider disabling it to eliminate the attack surface. Applying these network restrictions or configuration changes may necessitate a restart or reload of the Keycloak service, which could temporarily affect its availability.",
"product_ids": [
"Red Hat build of Keycloak 26.2.16"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.2.16"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak: Denial of Service via specially crafted SAML input"
},
{
"acknowledgments": [
{
"names": [
"Jo\u00e3o Mendes",
"Duarte Antunes"
],
"organization": "Intapp"
}
],
"cve": "CVE-2026-7504",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"discovery_date": "2026-04-30T14:46:59.812530+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2464128"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information within the domain or facilitating further attacks. This vulnerability specifically affects Keycloak clients configured with a wildcard (*) in the \"Valid Redirect URIs\" field and requires user interaction to be successfully exploited.\n\nThe issue stems from a discrepancy in how Keycloak and the underlying Java URI implementation handle the user-info component of a URL. If a malicious redirect URL is constructed using multiple @ characters in the user-info section, Java\u0027s URI parser fails to extract the user-info, leaving only the raw authority field. Consequently, Keycloak\u0027s validation check fails to detect the malformed user-info, falls back to a wildcard comparison, and incorrectly permits the malicious redirect.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak/keycloak-services: Open redirect when using wildcard valid redirect URIs in Keycloak",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate impact flaw in Keycloak allows for open redirection when a client is configured with a wildcard in its Valid Redirect URIs. An attacker could craft a malicious URL that, upon user interaction, bypasses validation and redirects to arbitrary locations within the domain, potentially leading to information disclosure or further attacks. This issue specifically affects deployments where clients utilize wildcard redirect URIs, requiring a specific configuration and user engagement for exploitation.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.2.16"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-7504"
},
{
"category": "external",
"summary": "RHBZ#2464128",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464128"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-7504",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7504"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-7504",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7504"
}
],
"release_date": "2026-05-19T10:52:12.777000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T11:23:33+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.2.16"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19594"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, Red Hat recommends avoiding the use of wildcard characters in the \"Valid Redirect URIs\" field for clients within Keycloak. Instead, explicitly list all allowed redirect URIs. Review all client configurations to ensure that wildcards are not used unless absolutely necessary, and if used, ensure that the client application is robust against open redirect vulnerabilities. Changes to client configurations in Keycloak may require a restart or reload of the Keycloak service to take effect, which could impact active user sessions.",
"product_ids": [
"Red Hat build of Keycloak 26.2.16"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.2.16"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "org.keycloak/keycloak-services: Open redirect when using wildcard valid redirect URIs in Keycloak"
},
{
"acknowledgments": [
{
"names": [
"Hacking Team"
],
"organization": "Calif.io"
}
],
"cve": "CVE-2026-7507",
"cwe": {
"id": "CWE-290",
"name": "Authentication Bypass by Spoofing"
},
"discovery_date": "2026-04-30T14:57:56.441000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2464145"
}
],
"notes": [
{
"category": "description",
"text": "A session fixation vulnerability was found in Keycloak\u0027s login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint\u2014which processes session handles without adequate CSRF protection or cookie ownership validation\u2014an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim\u0027s credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak/keycloak-services: Session fixation in OIDC login flow that can lead to account takeover",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is a Critical session fixation vulnerability in Keycloak\u0027s login-actions endpoints. An unauthenticated attacker can pre-create an authentication session and, by exploiting a lack of CSRF token or cookie ownership checks on the `/login-actions/restart` endpoint, reset the flow state to achieve silent Single Sign-On (SSO). This allows for full takeover of the master-realm admin account in default Keycloak deployments.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.2.16"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-7507"
},
{
"category": "external",
"summary": "RHBZ#2464145",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464145"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-7507",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7507"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-7507",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7507"
}
],
"release_date": "2026-05-19T10:51:31.418000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T11:23:33+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.2.16"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19594"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.2.16"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.2.16"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "org.keycloak/keycloak-services: Session fixation in OIDC login flow that can lead to account takeover"
}
]
}
RHSA-2026:19595
Vulnerability from csaf_redhat - Published: 2026-05-20 11:23 - Updated: 2026-05-20 16:08Summary
Red Hat Security Advisory: Red Hat build of Keycloak 26.2.16 Images Security Update
Severity
Important
Notes
Topic: New images are available for Red Hat build of Keycloak 26.2.16 and Red Hat build of Keycloak 26.2.16 Operator, running on OpenShift Container Platform
Details: Red Hat build of Keycloak is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat build of Keycloak for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.
Red Hat build of Keycloak Operator for OpenShift simplifies deployment and management of Keycloak 26.2.16 clusters.
This erratum releases new images for Red Hat build of Keycloak 26.2.16 for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.
Security fixes:
* Denial of Service via specially crafted SAML input (CVE-2026-7307)
* Session fixation in OIDC login flow that can lead to account takeover (CVE-2026-7507)
* Open redirect when using wildcard valid redirect URIs in Keycloak (CVE-2026-7504)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS) where the server becomes unavailable.
7.5 (High)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:43a89aece29c0a33128e5a7be4ef26d96956fa125df89e22b183c40e50bb8a1d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:13d8216c9f47a6f73ea6ea5c9ae7b8b38a89c3822e48eeed7271e50970132175_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:4d2cc26a505eda68f7270c8e8a02d794588f9c7ceec98b763d83e3875f957132_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:88672078ac0b5a0da5b72c11751fa7b0c1c57679ec0f68cb1fe9ba76932397b5_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:fa9cebe14d003ae002137462fc5833e5634fd040d8f25a66230da9a753891914_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:01a56463ad6790cf448e66f59a81c229db4159f42e563a13d19de051ec85ca86_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:58e692074e695bee04981aff9641db8070ba1a49ee6134fcc008046cd84da21d_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:7861ca2441bed95aab1ad43f9159d5c60b522fe3f43833f1847bd1d3ddef94d3_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:a9aeb0bc33a3461fe2d407896422719b21b184717956cbcebac0da976a220c1c_arm64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information within the domain or facilitating further attacks. This vulnerability specifically affects Keycloak clients configured with a wildcard (*) in the "Valid Redirect URIs" field and requires user interaction to be successfully exploited. The issue stems from a discrepancy in how Keycloak and the underlying Java URI implementation handle the user-info component of a URL. If a malicious redirect URL is constructed using multiple @ characters in the user-info section, Java's URI parser fails to extract the user-info, leaving only the raw authority field. Consequently, Keycloak's validation check fails to detect the malformed user-info, falls back to a wildcard comparison, and incorrectly permits the malicious redirect.
8.1 (High)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:43a89aece29c0a33128e5a7be4ef26d96956fa125df89e22b183c40e50bb8a1d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:13d8216c9f47a6f73ea6ea5c9ae7b8b38a89c3822e48eeed7271e50970132175_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:4d2cc26a505eda68f7270c8e8a02d794588f9c7ceec98b763d83e3875f957132_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:88672078ac0b5a0da5b72c11751fa7b0c1c57679ec0f68cb1fe9ba76932397b5_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:fa9cebe14d003ae002137462fc5833e5634fd040d8f25a66230da9a753891914_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:01a56463ad6790cf448e66f59a81c229db4159f42e563a13d19de051ec85ca86_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:58e692074e695bee04981aff9641db8070ba1a49ee6134fcc008046cd84da21d_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:7861ca2441bed95aab1ad43f9159d5c60b522fe3f43833f1847bd1d3ddef94d3_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:a9aeb0bc33a3461fe2d407896422719b21b184717956cbcebac0da976a220c1c_arm64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint—which processes session handles without adequate CSRF protection or cookie ownership validation—an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim's credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts.
7.5 (High)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:43a89aece29c0a33128e5a7be4ef26d96956fa125df89e22b183c40e50bb8a1d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:13d8216c9f47a6f73ea6ea5c9ae7b8b38a89c3822e48eeed7271e50970132175_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:4d2cc26a505eda68f7270c8e8a02d794588f9c7ceec98b763d83e3875f957132_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:88672078ac0b5a0da5b72c11751fa7b0c1c57679ec0f68cb1fe9ba76932397b5_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:fa9cebe14d003ae002137462fc5833e5634fd040d8f25a66230da9a753891914_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:01a56463ad6790cf448e66f59a81c229db4159f42e563a13d19de051ec85ca86_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:58e692074e695bee04981aff9641db8070ba1a49ee6134fcc008046cd84da21d_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:7861ca2441bed95aab1ad43f9159d5c60b522fe3f43833f1847bd1d3ddef94d3_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:a9aeb0bc33a3461fe2d407896422719b21b184717956cbcebac0da976a220c1c_arm64 | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
References
15 references
Acknowledgments
Anchels
Intapp
João Mendes
Duarte Antunes
Calif.io
Hacking Team
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New images are available for Red Hat build of Keycloak 26.2.16 and Red Hat build of Keycloak 26.2.16 Operator, running on OpenShift Container Platform",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat build of Keycloak is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat build of Keycloak for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.\nRed Hat build of Keycloak Operator for OpenShift simplifies deployment and management of Keycloak 26.2.16 clusters.\n\nThis erratum releases new images for Red Hat build of Keycloak 26.2.16 for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.\n\nSecurity fixes:\n* Denial of Service via specially crafted SAML input (CVE-2026-7307)\n* Session fixation in OIDC login flow that can lead to account takeover (CVE-2026-7507)\n* Open redirect when using wildcard valid redirect URIs in Keycloak (CVE-2026-7504)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:19595",
"url": "https://access.redhat.com/errata/RHSA-2026:19595"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_19595.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Keycloak 26.2.16 Images Security Update",
"tracking": {
"current_release_date": "2026-05-20T16:08:54+00:00",
"generator": {
"date": "2026-05-20T16:08:54+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2026:19595",
"initial_release_date": "2026-05-20T11:23:01+00:00",
"revision_history": [
{
"date": "2026-05-20T11:23:01+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-05-20T11:23:01+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-20T16:08:54+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Keycloak 26.2",
"product": {
"name": "Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:build_keycloak:26.2::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Keycloak"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:a9aeb0bc33a3461fe2d407896422719b21b184717956cbcebac0da976a220c1c_arm64",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:a9aeb0bc33a3461fe2d407896422719b21b184717956cbcebac0da976a220c1c_arm64",
"product_id": "rhbk/keycloak-rhel9@sha256:a9aeb0bc33a3461fe2d407896422719b21b184717956cbcebac0da976a220c1c_arm64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:a9aeb0bc33a3461fe2d407896422719b21b184717956cbcebac0da976a220c1c?arch=arm64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.2-21"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:88672078ac0b5a0da5b72c11751fa7b0c1c57679ec0f68cb1fe9ba76932397b5_arm64",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:88672078ac0b5a0da5b72c11751fa7b0c1c57679ec0f68cb1fe9ba76932397b5_arm64",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:88672078ac0b5a0da5b72c11751fa7b0c1c57679ec0f68cb1fe9ba76932397b5_arm64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:88672078ac0b5a0da5b72c11751fa7b0c1c57679ec0f68cb1fe9ba76932397b5?arch=arm64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.2-21"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:58e692074e695bee04981aff9641db8070ba1a49ee6134fcc008046cd84da21d_ppc64le",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:58e692074e695bee04981aff9641db8070ba1a49ee6134fcc008046cd84da21d_ppc64le",
"product_id": "rhbk/keycloak-rhel9@sha256:58e692074e695bee04981aff9641db8070ba1a49ee6134fcc008046cd84da21d_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:58e692074e695bee04981aff9641db8070ba1a49ee6134fcc008046cd84da21d?arch=ppc64le\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.2-21"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:13d8216c9f47a6f73ea6ea5c9ae7b8b38a89c3822e48eeed7271e50970132175_ppc64le",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:13d8216c9f47a6f73ea6ea5c9ae7b8b38a89c3822e48eeed7271e50970132175_ppc64le",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:13d8216c9f47a6f73ea6ea5c9ae7b8b38a89c3822e48eeed7271e50970132175_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:13d8216c9f47a6f73ea6ea5c9ae7b8b38a89c3822e48eeed7271e50970132175?arch=ppc64le\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.2-21"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:7861ca2441bed95aab1ad43f9159d5c60b522fe3f43833f1847bd1d3ddef94d3_amd64",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:7861ca2441bed95aab1ad43f9159d5c60b522fe3f43833f1847bd1d3ddef94d3_amd64",
"product_id": "rhbk/keycloak-rhel9@sha256:7861ca2441bed95aab1ad43f9159d5c60b522fe3f43833f1847bd1d3ddef94d3_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:7861ca2441bed95aab1ad43f9159d5c60b522fe3f43833f1847bd1d3ddef94d3?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.2-21"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-operator-bundle@sha256:43a89aece29c0a33128e5a7be4ef26d96956fa125df89e22b183c40e50bb8a1d_amd64",
"product": {
"name": "rhbk/keycloak-operator-bundle@sha256:43a89aece29c0a33128e5a7be4ef26d96956fa125df89e22b183c40e50bb8a1d_amd64",
"product_id": "rhbk/keycloak-operator-bundle@sha256:43a89aece29c0a33128e5a7be4ef26d96956fa125df89e22b183c40e50bb8a1d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-operator-bundle@sha256:43a89aece29c0a33128e5a7be4ef26d96956fa125df89e22b183c40e50bb8a1d?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-operator-bundle\u0026tag=26.2.16-1"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:4d2cc26a505eda68f7270c8e8a02d794588f9c7ceec98b763d83e3875f957132_amd64",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:4d2cc26a505eda68f7270c8e8a02d794588f9c7ceec98b763d83e3875f957132_amd64",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:4d2cc26a505eda68f7270c8e8a02d794588f9c7ceec98b763d83e3875f957132_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:4d2cc26a505eda68f7270c8e8a02d794588f9c7ceec98b763d83e3875f957132?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.2-21"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:01a56463ad6790cf448e66f59a81c229db4159f42e563a13d19de051ec85ca86_s390x",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:01a56463ad6790cf448e66f59a81c229db4159f42e563a13d19de051ec85ca86_s390x",
"product_id": "rhbk/keycloak-rhel9@sha256:01a56463ad6790cf448e66f59a81c229db4159f42e563a13d19de051ec85ca86_s390x",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:01a56463ad6790cf448e66f59a81c229db4159f42e563a13d19de051ec85ca86?arch=s390x\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.2-21"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:fa9cebe14d003ae002137462fc5833e5634fd040d8f25a66230da9a753891914_s390x",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:fa9cebe14d003ae002137462fc5833e5634fd040d8f25a66230da9a753891914_s390x",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:fa9cebe14d003ae002137462fc5833e5634fd040d8f25a66230da9a753891914_s390x",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:fa9cebe14d003ae002137462fc5833e5634fd040d8f25a66230da9a753891914?arch=s390x\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.2-21"
}
}
}
],
"category": "architecture",
"name": "s390x"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-operator-bundle@sha256:43a89aece29c0a33128e5a7be4ef26d96956fa125df89e22b183c40e50bb8a1d_amd64 as a component of Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:43a89aece29c0a33128e5a7be4ef26d96956fa125df89e22b183c40e50bb8a1d_amd64"
},
"product_reference": "rhbk/keycloak-operator-bundle@sha256:43a89aece29c0a33128e5a7be4ef26d96956fa125df89e22b183c40e50bb8a1d_amd64",
"relates_to_product_reference": "9Base-RHBK-26.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:13d8216c9f47a6f73ea6ea5c9ae7b8b38a89c3822e48eeed7271e50970132175_ppc64le as a component of Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:13d8216c9f47a6f73ea6ea5c9ae7b8b38a89c3822e48eeed7271e50970132175_ppc64le"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:13d8216c9f47a6f73ea6ea5c9ae7b8b38a89c3822e48eeed7271e50970132175_ppc64le",
"relates_to_product_reference": "9Base-RHBK-26.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:4d2cc26a505eda68f7270c8e8a02d794588f9c7ceec98b763d83e3875f957132_amd64 as a component of Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:4d2cc26a505eda68f7270c8e8a02d794588f9c7ceec98b763d83e3875f957132_amd64"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:4d2cc26a505eda68f7270c8e8a02d794588f9c7ceec98b763d83e3875f957132_amd64",
"relates_to_product_reference": "9Base-RHBK-26.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:88672078ac0b5a0da5b72c11751fa7b0c1c57679ec0f68cb1fe9ba76932397b5_arm64 as a component of Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:88672078ac0b5a0da5b72c11751fa7b0c1c57679ec0f68cb1fe9ba76932397b5_arm64"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:88672078ac0b5a0da5b72c11751fa7b0c1c57679ec0f68cb1fe9ba76932397b5_arm64",
"relates_to_product_reference": "9Base-RHBK-26.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:fa9cebe14d003ae002137462fc5833e5634fd040d8f25a66230da9a753891914_s390x as a component of Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:fa9cebe14d003ae002137462fc5833e5634fd040d8f25a66230da9a753891914_s390x"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:fa9cebe14d003ae002137462fc5833e5634fd040d8f25a66230da9a753891914_s390x",
"relates_to_product_reference": "9Base-RHBK-26.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:01a56463ad6790cf448e66f59a81c229db4159f42e563a13d19de051ec85ca86_s390x as a component of Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:01a56463ad6790cf448e66f59a81c229db4159f42e563a13d19de051ec85ca86_s390x"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:01a56463ad6790cf448e66f59a81c229db4159f42e563a13d19de051ec85ca86_s390x",
"relates_to_product_reference": "9Base-RHBK-26.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:58e692074e695bee04981aff9641db8070ba1a49ee6134fcc008046cd84da21d_ppc64le as a component of Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:58e692074e695bee04981aff9641db8070ba1a49ee6134fcc008046cd84da21d_ppc64le"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:58e692074e695bee04981aff9641db8070ba1a49ee6134fcc008046cd84da21d_ppc64le",
"relates_to_product_reference": "9Base-RHBK-26.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:7861ca2441bed95aab1ad43f9159d5c60b522fe3f43833f1847bd1d3ddef94d3_amd64 as a component of Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:7861ca2441bed95aab1ad43f9159d5c60b522fe3f43833f1847bd1d3ddef94d3_amd64"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:7861ca2441bed95aab1ad43f9159d5c60b522fe3f43833f1847bd1d3ddef94d3_amd64",
"relates_to_product_reference": "9Base-RHBK-26.2"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:a9aeb0bc33a3461fe2d407896422719b21b184717956cbcebac0da976a220c1c_arm64 as a component of Red Hat build of Keycloak 26.2",
"product_id": "9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:a9aeb0bc33a3461fe2d407896422719b21b184717956cbcebac0da976a220c1c_arm64"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:a9aeb0bc33a3461fe2d407896422719b21b184717956cbcebac0da976a220c1c_arm64",
"relates_to_product_reference": "9Base-RHBK-26.2"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Anchels"
]
}
],
"cve": "CVE-2026-7307",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2026-05-12T16:20:11.587000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2476526"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS) where the server becomes unavailable.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Denial of Service via specially crafted SAML input",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is a High severity denial of service vulnerability in Keycloak. An unauthenticated attacker with network access can send specially crafted XML input to the SAML endpoint, causing high CPU utilization and worker thread exhaustion, which renders the Keycloak server unavailable. This directly impacts the availability of Keycloak instances where the SAML protocol is enabled.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:43a89aece29c0a33128e5a7be4ef26d96956fa125df89e22b183c40e50bb8a1d_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:13d8216c9f47a6f73ea6ea5c9ae7b8b38a89c3822e48eeed7271e50970132175_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:4d2cc26a505eda68f7270c8e8a02d794588f9c7ceec98b763d83e3875f957132_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:88672078ac0b5a0da5b72c11751fa7b0c1c57679ec0f68cb1fe9ba76932397b5_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:fa9cebe14d003ae002137462fc5833e5634fd040d8f25a66230da9a753891914_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:01a56463ad6790cf448e66f59a81c229db4159f42e563a13d19de051ec85ca86_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:58e692074e695bee04981aff9641db8070ba1a49ee6134fcc008046cd84da21d_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:7861ca2441bed95aab1ad43f9159d5c60b522fe3f43833f1847bd1d3ddef94d3_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:a9aeb0bc33a3461fe2d407896422719b21b184717956cbcebac0da976a220c1c_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-7307"
},
{
"category": "external",
"summary": "RHBZ#2476526",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2476526"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-7307",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7307"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-7307",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7307"
}
],
"release_date": "2026-05-19T10:42:34.560000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T11:23:01+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:43a89aece29c0a33128e5a7be4ef26d96956fa125df89e22b183c40e50bb8a1d_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:13d8216c9f47a6f73ea6ea5c9ae7b8b38a89c3822e48eeed7271e50970132175_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:4d2cc26a505eda68f7270c8e8a02d794588f9c7ceec98b763d83e3875f957132_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:88672078ac0b5a0da5b72c11751fa7b0c1c57679ec0f68cb1fe9ba76932397b5_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:fa9cebe14d003ae002137462fc5833e5634fd040d8f25a66230da9a753891914_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:01a56463ad6790cf448e66f59a81c229db4159f42e563a13d19de051ec85ca86_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:58e692074e695bee04981aff9641db8070ba1a49ee6134fcc008046cd84da21d_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:7861ca2441bed95aab1ad43f9159d5c60b522fe3f43833f1847bd1d3ddef94d3_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:a9aeb0bc33a3461fe2d407896422719b21b184717956cbcebac0da976a220c1c_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19595"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, restrict network access to the Keycloak SAML endpoint to trusted networks and clients. Implement firewall rules to limit inbound connections to the Keycloak service port (e.g., 8080) from untrusted sources. If the SAML protocol is not required for your deployment, consider disabling it to eliminate the attack surface. Applying these network restrictions or configuration changes may necessitate a restart or reload of the Keycloak service, which could temporarily affect its availability.",
"product_ids": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:43a89aece29c0a33128e5a7be4ef26d96956fa125df89e22b183c40e50bb8a1d_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:13d8216c9f47a6f73ea6ea5c9ae7b8b38a89c3822e48eeed7271e50970132175_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:4d2cc26a505eda68f7270c8e8a02d794588f9c7ceec98b763d83e3875f957132_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:88672078ac0b5a0da5b72c11751fa7b0c1c57679ec0f68cb1fe9ba76932397b5_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:fa9cebe14d003ae002137462fc5833e5634fd040d8f25a66230da9a753891914_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:01a56463ad6790cf448e66f59a81c229db4159f42e563a13d19de051ec85ca86_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:58e692074e695bee04981aff9641db8070ba1a49ee6134fcc008046cd84da21d_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:7861ca2441bed95aab1ad43f9159d5c60b522fe3f43833f1847bd1d3ddef94d3_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:a9aeb0bc33a3461fe2d407896422719b21b184717956cbcebac0da976a220c1c_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:43a89aece29c0a33128e5a7be4ef26d96956fa125df89e22b183c40e50bb8a1d_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:13d8216c9f47a6f73ea6ea5c9ae7b8b38a89c3822e48eeed7271e50970132175_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:4d2cc26a505eda68f7270c8e8a02d794588f9c7ceec98b763d83e3875f957132_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:88672078ac0b5a0da5b72c11751fa7b0c1c57679ec0f68cb1fe9ba76932397b5_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:fa9cebe14d003ae002137462fc5833e5634fd040d8f25a66230da9a753891914_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:01a56463ad6790cf448e66f59a81c229db4159f42e563a13d19de051ec85ca86_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:58e692074e695bee04981aff9641db8070ba1a49ee6134fcc008046cd84da21d_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:7861ca2441bed95aab1ad43f9159d5c60b522fe3f43833f1847bd1d3ddef94d3_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:a9aeb0bc33a3461fe2d407896422719b21b184717956cbcebac0da976a220c1c_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak: Denial of Service via specially crafted SAML input"
},
{
"acknowledgments": [
{
"names": [
"Jo\u00e3o Mendes",
"Duarte Antunes"
],
"organization": "Intapp"
}
],
"cve": "CVE-2026-7504",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"discovery_date": "2026-04-30T14:46:59.812530+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2464128"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information within the domain or facilitating further attacks. This vulnerability specifically affects Keycloak clients configured with a wildcard (*) in the \"Valid Redirect URIs\" field and requires user interaction to be successfully exploited.\n\nThe issue stems from a discrepancy in how Keycloak and the underlying Java URI implementation handle the user-info component of a URL. If a malicious redirect URL is constructed using multiple @ characters in the user-info section, Java\u0027s URI parser fails to extract the user-info, leaving only the raw authority field. Consequently, Keycloak\u0027s validation check fails to detect the malformed user-info, falls back to a wildcard comparison, and incorrectly permits the malicious redirect.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak/keycloak-services: Open redirect when using wildcard valid redirect URIs in Keycloak",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate impact flaw in Keycloak allows for open redirection when a client is configured with a wildcard in its Valid Redirect URIs. An attacker could craft a malicious URL that, upon user interaction, bypasses validation and redirects to arbitrary locations within the domain, potentially leading to information disclosure or further attacks. This issue specifically affects deployments where clients utilize wildcard redirect URIs, requiring a specific configuration and user engagement for exploitation.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:43a89aece29c0a33128e5a7be4ef26d96956fa125df89e22b183c40e50bb8a1d_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:13d8216c9f47a6f73ea6ea5c9ae7b8b38a89c3822e48eeed7271e50970132175_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:4d2cc26a505eda68f7270c8e8a02d794588f9c7ceec98b763d83e3875f957132_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:88672078ac0b5a0da5b72c11751fa7b0c1c57679ec0f68cb1fe9ba76932397b5_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:fa9cebe14d003ae002137462fc5833e5634fd040d8f25a66230da9a753891914_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:01a56463ad6790cf448e66f59a81c229db4159f42e563a13d19de051ec85ca86_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:58e692074e695bee04981aff9641db8070ba1a49ee6134fcc008046cd84da21d_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:7861ca2441bed95aab1ad43f9159d5c60b522fe3f43833f1847bd1d3ddef94d3_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:a9aeb0bc33a3461fe2d407896422719b21b184717956cbcebac0da976a220c1c_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-7504"
},
{
"category": "external",
"summary": "RHBZ#2464128",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464128"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-7504",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7504"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-7504",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7504"
}
],
"release_date": "2026-05-19T10:52:12.777000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T11:23:01+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:43a89aece29c0a33128e5a7be4ef26d96956fa125df89e22b183c40e50bb8a1d_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:13d8216c9f47a6f73ea6ea5c9ae7b8b38a89c3822e48eeed7271e50970132175_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:4d2cc26a505eda68f7270c8e8a02d794588f9c7ceec98b763d83e3875f957132_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:88672078ac0b5a0da5b72c11751fa7b0c1c57679ec0f68cb1fe9ba76932397b5_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:fa9cebe14d003ae002137462fc5833e5634fd040d8f25a66230da9a753891914_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:01a56463ad6790cf448e66f59a81c229db4159f42e563a13d19de051ec85ca86_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:58e692074e695bee04981aff9641db8070ba1a49ee6134fcc008046cd84da21d_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:7861ca2441bed95aab1ad43f9159d5c60b522fe3f43833f1847bd1d3ddef94d3_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:a9aeb0bc33a3461fe2d407896422719b21b184717956cbcebac0da976a220c1c_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19595"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, Red Hat recommends avoiding the use of wildcard characters in the \"Valid Redirect URIs\" field for clients within Keycloak. Instead, explicitly list all allowed redirect URIs. Review all client configurations to ensure that wildcards are not used unless absolutely necessary, and if used, ensure that the client application is robust against open redirect vulnerabilities. Changes to client configurations in Keycloak may require a restart or reload of the Keycloak service to take effect, which could impact active user sessions.",
"product_ids": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:43a89aece29c0a33128e5a7be4ef26d96956fa125df89e22b183c40e50bb8a1d_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:13d8216c9f47a6f73ea6ea5c9ae7b8b38a89c3822e48eeed7271e50970132175_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:4d2cc26a505eda68f7270c8e8a02d794588f9c7ceec98b763d83e3875f957132_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:88672078ac0b5a0da5b72c11751fa7b0c1c57679ec0f68cb1fe9ba76932397b5_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:fa9cebe14d003ae002137462fc5833e5634fd040d8f25a66230da9a753891914_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:01a56463ad6790cf448e66f59a81c229db4159f42e563a13d19de051ec85ca86_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:58e692074e695bee04981aff9641db8070ba1a49ee6134fcc008046cd84da21d_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:7861ca2441bed95aab1ad43f9159d5c60b522fe3f43833f1847bd1d3ddef94d3_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:a9aeb0bc33a3461fe2d407896422719b21b184717956cbcebac0da976a220c1c_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:43a89aece29c0a33128e5a7be4ef26d96956fa125df89e22b183c40e50bb8a1d_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:13d8216c9f47a6f73ea6ea5c9ae7b8b38a89c3822e48eeed7271e50970132175_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:4d2cc26a505eda68f7270c8e8a02d794588f9c7ceec98b763d83e3875f957132_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:88672078ac0b5a0da5b72c11751fa7b0c1c57679ec0f68cb1fe9ba76932397b5_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:fa9cebe14d003ae002137462fc5833e5634fd040d8f25a66230da9a753891914_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:01a56463ad6790cf448e66f59a81c229db4159f42e563a13d19de051ec85ca86_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:58e692074e695bee04981aff9641db8070ba1a49ee6134fcc008046cd84da21d_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:7861ca2441bed95aab1ad43f9159d5c60b522fe3f43833f1847bd1d3ddef94d3_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:a9aeb0bc33a3461fe2d407896422719b21b184717956cbcebac0da976a220c1c_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "org.keycloak/keycloak-services: Open redirect when using wildcard valid redirect URIs in Keycloak"
},
{
"acknowledgments": [
{
"names": [
"Hacking Team"
],
"organization": "Calif.io"
}
],
"cve": "CVE-2026-7507",
"cwe": {
"id": "CWE-290",
"name": "Authentication Bypass by Spoofing"
},
"discovery_date": "2026-04-30T14:57:56.441000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2464145"
}
],
"notes": [
{
"category": "description",
"text": "A session fixation vulnerability was found in Keycloak\u0027s login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint\u2014which processes session handles without adequate CSRF protection or cookie ownership validation\u2014an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim\u0027s credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak/keycloak-services: Session fixation in OIDC login flow that can lead to account takeover",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is a Critical session fixation vulnerability in Keycloak\u0027s login-actions endpoints. An unauthenticated attacker can pre-create an authentication session and, by exploiting a lack of CSRF token or cookie ownership checks on the `/login-actions/restart` endpoint, reset the flow state to achieve silent Single Sign-On (SSO). This allows for full takeover of the master-realm admin account in default Keycloak deployments.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:43a89aece29c0a33128e5a7be4ef26d96956fa125df89e22b183c40e50bb8a1d_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:13d8216c9f47a6f73ea6ea5c9ae7b8b38a89c3822e48eeed7271e50970132175_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:4d2cc26a505eda68f7270c8e8a02d794588f9c7ceec98b763d83e3875f957132_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:88672078ac0b5a0da5b72c11751fa7b0c1c57679ec0f68cb1fe9ba76932397b5_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:fa9cebe14d003ae002137462fc5833e5634fd040d8f25a66230da9a753891914_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:01a56463ad6790cf448e66f59a81c229db4159f42e563a13d19de051ec85ca86_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:58e692074e695bee04981aff9641db8070ba1a49ee6134fcc008046cd84da21d_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:7861ca2441bed95aab1ad43f9159d5c60b522fe3f43833f1847bd1d3ddef94d3_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:a9aeb0bc33a3461fe2d407896422719b21b184717956cbcebac0da976a220c1c_arm64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-7507"
},
{
"category": "external",
"summary": "RHBZ#2464145",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464145"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-7507",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7507"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-7507",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7507"
}
],
"release_date": "2026-05-19T10:51:31.418000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T11:23:01+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:43a89aece29c0a33128e5a7be4ef26d96956fa125df89e22b183c40e50bb8a1d_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:13d8216c9f47a6f73ea6ea5c9ae7b8b38a89c3822e48eeed7271e50970132175_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:4d2cc26a505eda68f7270c8e8a02d794588f9c7ceec98b763d83e3875f957132_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:88672078ac0b5a0da5b72c11751fa7b0c1c57679ec0f68cb1fe9ba76932397b5_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:fa9cebe14d003ae002137462fc5833e5634fd040d8f25a66230da9a753891914_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:01a56463ad6790cf448e66f59a81c229db4159f42e563a13d19de051ec85ca86_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:58e692074e695bee04981aff9641db8070ba1a49ee6134fcc008046cd84da21d_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:7861ca2441bed95aab1ad43f9159d5c60b522fe3f43833f1847bd1d3ddef94d3_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:a9aeb0bc33a3461fe2d407896422719b21b184717956cbcebac0da976a220c1c_arm64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19595"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:43a89aece29c0a33128e5a7be4ef26d96956fa125df89e22b183c40e50bb8a1d_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:13d8216c9f47a6f73ea6ea5c9ae7b8b38a89c3822e48eeed7271e50970132175_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:4d2cc26a505eda68f7270c8e8a02d794588f9c7ceec98b763d83e3875f957132_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:88672078ac0b5a0da5b72c11751fa7b0c1c57679ec0f68cb1fe9ba76932397b5_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:fa9cebe14d003ae002137462fc5833e5634fd040d8f25a66230da9a753891914_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:01a56463ad6790cf448e66f59a81c229db4159f42e563a13d19de051ec85ca86_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:58e692074e695bee04981aff9641db8070ba1a49ee6134fcc008046cd84da21d_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:7861ca2441bed95aab1ad43f9159d5c60b522fe3f43833f1847bd1d3ddef94d3_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:a9aeb0bc33a3461fe2d407896422719b21b184717956cbcebac0da976a220c1c_arm64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.2:rhbk/keycloak-operator-bundle@sha256:43a89aece29c0a33128e5a7be4ef26d96956fa125df89e22b183c40e50bb8a1d_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:13d8216c9f47a6f73ea6ea5c9ae7b8b38a89c3822e48eeed7271e50970132175_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:4d2cc26a505eda68f7270c8e8a02d794588f9c7ceec98b763d83e3875f957132_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:88672078ac0b5a0da5b72c11751fa7b0c1c57679ec0f68cb1fe9ba76932397b5_arm64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9-operator@sha256:fa9cebe14d003ae002137462fc5833e5634fd040d8f25a66230da9a753891914_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:01a56463ad6790cf448e66f59a81c229db4159f42e563a13d19de051ec85ca86_s390x",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:58e692074e695bee04981aff9641db8070ba1a49ee6134fcc008046cd84da21d_ppc64le",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:7861ca2441bed95aab1ad43f9159d5c60b522fe3f43833f1847bd1d3ddef94d3_amd64",
"9Base-RHBK-26.2:rhbk/keycloak-rhel9@sha256:a9aeb0bc33a3461fe2d407896422719b21b184717956cbcebac0da976a220c1c_arm64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "org.keycloak/keycloak-services: Session fixation in OIDC login flow that can lead to account takeover"
}
]
}
RHSA-2026:19596
Vulnerability from csaf_redhat - Published: 2026-05-20 11:23 - Updated: 2026-05-20 16:08Summary
Red Hat Security Advisory: Red Hat build of Keycloak 26.4.12 Security Update
Severity
Important
Notes
Topic: New Red Hat build of Keycloak 26.4.12 packages are available from the Customer Portal
Details: Red Hat build of Keycloak 26.4.12 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.
Security fixes:
* Denial of Service via specially crafted SAML input (CVE-2026-7307)
* Information Disclosure via evaluate-scopes Admin API (CVE-2026-37978)
* Unauthorized account takeover via WebAuthn token replay (CVE-2026-37982)
* Information disclosure via OIDC token introspection endpoint audience bypass (CVE-2026-37979)
* Access token disclosure and implicit flow bypass via forged client data (CVE-2026-7571)
* Session fixation in OIDC login flow that can lead to account takeover (CVE-2026-7507)
* Open redirect when using wildcard valid redirect URIs in Keycloak (CVE-2026-7504)
* Information disclosure via broken access control in user lookup endpoint (CVE-2026-37981)
* Unauthorized resource access and data modification via Insecure Direct Object Reference (CVE-2026-4630)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier (UUID) belonging to another Resource Server within the same realm, the client could bypass authorization checks. This allows the client to perform unauthorized GET, PUT, and DELETE operations on resources, leading to information disclosure and potential unauthorized modification or deletion of data.
6.8 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.12
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS) where the server becomes unavailable.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.12
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information within the domain or facilitating further attacks. This vulnerability specifically affects Keycloak clients configured with a wildcard (*) in the "Valid Redirect URIs" field and requires user interaction to be successfully exploited. The issue stems from a discrepancy in how Keycloak and the underlying Java URI implementation handle the user-info component of a URL. If a malicious redirect URL is constructed using multiple @ characters in the user-info section, Java's URI parser fails to extract the user-info, leaving only the raw authority field. Consequently, Keycloak's validation check fails to detect the malformed user-info, falls back to a wildcard comparison, and incorrectly permits the malicious redirect.
8.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.12
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint—which processes session handles without adequate CSRF protection or cookie ownership validation—an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim's credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts.
7.5 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.12
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session restart, an attacker can obtain an access token that should not be available. This vulnerability can also lead to the exposure of these access tokens in server logs, proxy logs, and HTTP Referrer headers, resulting in sensitive information disclosure.
7.1 (High)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.12
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable information (PII) leakage, enabling unauthorized visibility into user identities and authorizations across the realm. Exploitation is possible remotely via network access to the Admin API.
4.9 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.12
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other resource servers, compromising the confidentiality of lightweight access tokens. This issue can be exploited remotely by any confidential client in the realm with valid credentials.
6.5 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.12
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally identifiable information (PII) for all realm users. By sending crafted requests with arbitrary usernames or email values, the endpoint returns full profile objects for unrelated users. This leads to broad profile-level information disclosure.
4.3 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.12
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim's account. This leads to unauthorized enrollment of a hardware-backed credential, enabling persistent account takeover.
6.8 (Medium)
Affected products
Fixed
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Red Hat build of Keycloak 26.4.12
Red Hat / Red Hat build of Keycloak
|
cpe:/a:redhat:build_keycloak:26.4::el9
|
— |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
39 references
Acknowledgments
Anchels
Intapp
João Mendes
Duarte Antunes
Calif.io
Hacking Team
Evan Hendra
Herdiyan Adam Putra
XavLimSG
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New Red Hat build of Keycloak 26.4.12 packages are available from the Customer Portal",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat build of Keycloak 26.4.12 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nSecurity fixes:\n* Denial of Service via specially crafted SAML input (CVE-2026-7307)\n* Information Disclosure via evaluate-scopes Admin API (CVE-2026-37978)\n* Unauthorized account takeover via WebAuthn token replay (CVE-2026-37982)\n* Information disclosure via OIDC token introspection endpoint audience bypass (CVE-2026-37979)\n* Access token disclosure and implicit flow bypass via forged client data (CVE-2026-7571)\n* Session fixation in OIDC login flow that can lead to account takeover (CVE-2026-7507)\n* Open redirect when using wildcard valid redirect URIs in Keycloak (CVE-2026-7504)\n* Information disclosure via broken access control in user lookup endpoint (CVE-2026-37981)\n* Unauthorized resource access and data modification via Insecure Direct Object Reference (CVE-2026-4630)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:19596",
"url": "https://access.redhat.com/errata/RHSA-2026:19596"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_19596.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Keycloak 26.4.12 Security Update",
"tracking": {
"current_release_date": "2026-05-20T16:08:55+00:00",
"generator": {
"date": "2026-05-20T16:08:55+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2026:19596",
"initial_release_date": "2026-05-20T11:23:18+00:00",
"revision_history": [
{
"date": "2026-05-20T11:23:18+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-05-20T11:23:18+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-20T16:08:55+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Keycloak 26.4.12",
"product": {
"name": "Red Hat build of Keycloak 26.4.12",
"product_id": "Red Hat build of Keycloak 26.4.12",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:build_keycloak:26.4::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Keycloak"
}
],
"category": "vendor",
"name": "Red Hat"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-4630",
"cwe": {
"id": "CWE-639",
"name": "Authorization Bypass Through User-Controlled Key"
},
"discovery_date": "2026-03-23T08:10:40.944000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2450245"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource\u0027s unique identifier (UUID) belonging to another Resource Server within the same realm, the client could bypass authorization checks. This allows the client to perform unauthorized GET, PUT, and DELETE operations on resources, leading to information disclosure and potential unauthorized modification or deletion of data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Unauthorized resource access and data modification via Insecure Direct Object Reference",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-4630"
},
{
"category": "external",
"summary": "RHBZ#2450245",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450245"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-4630",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4630"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-4630",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4630"
}
],
"release_date": "2026-04-15T12:34:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T11:23:18+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19596"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.12"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Unauthorized resource access and data modification via Insecure Direct Object Reference"
},
{
"acknowledgments": [
{
"names": [
"Anchels"
]
}
],
"cve": "CVE-2026-7307",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2026-05-12T16:20:11.587000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2476526"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS) where the server becomes unavailable.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Denial of Service via specially crafted SAML input",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is a High severity denial of service vulnerability in Keycloak. An unauthenticated attacker with network access can send specially crafted XML input to the SAML endpoint, causing high CPU utilization and worker thread exhaustion, which renders the Keycloak server unavailable. This directly impacts the availability of Keycloak instances where the SAML protocol is enabled.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-7307"
},
{
"category": "external",
"summary": "RHBZ#2476526",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2476526"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-7307",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7307"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-7307",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7307"
}
],
"release_date": "2026-05-19T10:42:34.560000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T11:23:18+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19596"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, restrict network access to the Keycloak SAML endpoint to trusted networks and clients. Implement firewall rules to limit inbound connections to the Keycloak service port (e.g., 8080) from untrusted sources. If the SAML protocol is not required for your deployment, consider disabling it to eliminate the attack surface. Applying these network restrictions or configuration changes may necessitate a restart or reload of the Keycloak service, which could temporarily affect its availability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.12"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak: Denial of Service via specially crafted SAML input"
},
{
"acknowledgments": [
{
"names": [
"Jo\u00e3o Mendes",
"Duarte Antunes"
],
"organization": "Intapp"
}
],
"cve": "CVE-2026-7504",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"discovery_date": "2026-04-30T14:46:59.812530+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2464128"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information within the domain or facilitating further attacks. This vulnerability specifically affects Keycloak clients configured with a wildcard (*) in the \"Valid Redirect URIs\" field and requires user interaction to be successfully exploited.\n\nThe issue stems from a discrepancy in how Keycloak and the underlying Java URI implementation handle the user-info component of a URL. If a malicious redirect URL is constructed using multiple @ characters in the user-info section, Java\u0027s URI parser fails to extract the user-info, leaving only the raw authority field. Consequently, Keycloak\u0027s validation check fails to detect the malformed user-info, falls back to a wildcard comparison, and incorrectly permits the malicious redirect.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak/keycloak-services: Open redirect when using wildcard valid redirect URIs in Keycloak",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate impact flaw in Keycloak allows for open redirection when a client is configured with a wildcard in its Valid Redirect URIs. An attacker could craft a malicious URL that, upon user interaction, bypasses validation and redirects to arbitrary locations within the domain, potentially leading to information disclosure or further attacks. This issue specifically affects deployments where clients utilize wildcard redirect URIs, requiring a specific configuration and user engagement for exploitation.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-7504"
},
{
"category": "external",
"summary": "RHBZ#2464128",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464128"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-7504",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7504"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-7504",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7504"
}
],
"release_date": "2026-05-19T10:52:12.777000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T11:23:18+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19596"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, Red Hat recommends avoiding the use of wildcard characters in the \"Valid Redirect URIs\" field for clients within Keycloak. Instead, explicitly list all allowed redirect URIs. Review all client configurations to ensure that wildcards are not used unless absolutely necessary, and if used, ensure that the client application is robust against open redirect vulnerabilities. Changes to client configurations in Keycloak may require a restart or reload of the Keycloak service to take effect, which could impact active user sessions.",
"product_ids": [
"Red Hat build of Keycloak 26.4.12"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "org.keycloak/keycloak-services: Open redirect when using wildcard valid redirect URIs in Keycloak"
},
{
"acknowledgments": [
{
"names": [
"Hacking Team"
],
"organization": "Calif.io"
}
],
"cve": "CVE-2026-7507",
"cwe": {
"id": "CWE-290",
"name": "Authentication Bypass by Spoofing"
},
"discovery_date": "2026-04-30T14:57:56.441000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2464145"
}
],
"notes": [
{
"category": "description",
"text": "A session fixation vulnerability was found in Keycloak\u0027s login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint\u2014which processes session handles without adequate CSRF protection or cookie ownership validation\u2014an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim\u0027s credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak/keycloak-services: Session fixation in OIDC login flow that can lead to account takeover",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is a Critical session fixation vulnerability in Keycloak\u0027s login-actions endpoints. An unauthenticated attacker can pre-create an authentication session and, by exploiting a lack of CSRF token or cookie ownership checks on the `/login-actions/restart` endpoint, reset the flow state to achieve silent Single Sign-On (SSO). This allows for full takeover of the master-realm admin account in default Keycloak deployments.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-7507"
},
{
"category": "external",
"summary": "RHBZ#2464145",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464145"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-7507",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7507"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-7507",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7507"
}
],
"release_date": "2026-05-19T10:51:31.418000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T11:23:18+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19596"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.12"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "org.keycloak/keycloak-services: Session fixation in OIDC login flow that can lead to account takeover"
},
{
"acknowledgments": [
{
"names": [
"Evan Hendra"
]
}
],
"cve": "CVE-2026-7571",
"cwe": {
"id": "CWE-472",
"name": "External Control of Assumed-Immutable Web Parameter"
},
"discovery_date": "2026-04-30T22:22:41.973000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2464263"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session restart, an attacker can obtain an access token that should not be available. This vulnerability can also lead to the exposure of these access tokens in server logs, proxy logs, and HTTP Referrer headers, resulting in sensitive information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Access token disclosure and implicit flow bypass via forged client data",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This High severity flaw in Keycloak allows a low-privilege user, with knowledge of user credentials and client ID, to bypass the `implicitFlowEnabled=false` setting. By forging client data during a session restart, an attacker can obtain an implicit access token, potentially exposing it in URL query strings if `response_mode=query` is also forged. This bypass undermines a critical security control intended to prevent implicit flow, leading to unauthorized access to sensitive tokens.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-7571"
},
{
"category": "external",
"summary": "RHBZ#2464263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464263"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-7571",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7571"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-7571",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7571"
}
],
"release_date": "2026-05-19T10:50:49.394000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T11:23:18+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19596"
},
{
"category": "workaround",
"details": "To mitigate this issue, restrict network access to the Keycloak authentication endpoint to trusted clients and networks. Implement firewall rules to control inbound connections to the Keycloak service ports, thereby reducing the attack surface and limiting who can initiate authentication flows and potentially exploit the implicit flow bypass. If the Keycloak service is reloaded or restarted, ensure these network restrictions remain in effect.",
"product_ids": [
"Red Hat build of Keycloak 26.4.12"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Access token disclosure and implicit flow bypass via forged client data"
},
{
"cve": "CVE-2026-37978",
"cwe": {
"id": "CWE-639",
"name": "Authorization Bypass Through User-Controlled Key"
},
"discovery_date": "2026-04-06T07:56:31.980322+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2455327"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A low-privilege administrator with the \u0027view-clients\u0027 role can exploit this by invoking the \u0027evaluate-scopes\u0027 Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable information (PII) leakage, enabling unauthorized visibility into user identities and authorizations across the realm. Exploitation is possible remotely via network access to the Admin API.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: org.keycloak.services: Keycloak: Information Disclosure via evaluate-scopes Admin API",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is a Moderate impact vulnerability affecting Red Hat Build of Keycloak (RHBK). A low-privilege administrator with the `view-clients` role can exploit the `evaluate-scopes` Admin API endpoints to disclose sensitive user profile and role data. This allows unauthorized visibility into user identities and authorizations across the realm, requiring network access to the Admin API for exploitation.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-37978"
},
{
"category": "external",
"summary": "RHBZ#2455327",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455327"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-37978",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-37978"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-37978",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-37978"
}
],
"release_date": "2026-05-19T10:43:47.080000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T11:23:18+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19596"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.12"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: org.keycloak.services: Keycloak: Information Disclosure via evaluate-scopes Admin API"
},
{
"acknowledgments": [
{
"names": [
"Herdiyan Adam Putra"
]
}
],
"cve": "CVE-2026-37979",
"discovery_date": "2026-04-06T07:57:53.307889+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2455328"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. This access control vulnerability in Keycloak\u0027s OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other resource servers, compromising the confidentiality of lightweight access tokens. This issue can be exploited remotely by any confidential client in the realm with valid credentials.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Information disclosure via OIDC token introspection endpoint audience bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Moderate impact: Keycloak\u0027s OIDC token introspection endpoint fails to enforce audience validation, allowing a confidential client to retrieve sensitive token claims intended for a different audience. This compromises the confidentiality of lightweight tokens within Red Hat Build of Keycloak.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-37979"
},
{
"category": "external",
"summary": "RHBZ#2455328",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455328"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-37979",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-37979"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-37979",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-37979"
}
],
"release_date": "2026-05-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T11:23:18+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19596"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.12"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Information disclosure via OIDC token introspection endpoint audience bypass"
},
{
"acknowledgments": [
{
"names": [
"XavLimSG"
]
}
],
"cve": "CVE-2026-37981",
"cwe": {
"id": "CWE-1220",
"name": "Insufficient Granularity of Access Control"
},
"discovery_date": "2026-04-06T07:53:20.150776+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2455326"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally identifiable information (PII) for all realm users. By sending crafted requests with arbitrary usernames or email values, the endpoint returns full profile objects for unrelated users. This leads to broad profile-level information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: org.keycloak.authorization: Keycloak: Information disclosure via broken access control in user lookup endpoint",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Moderate: This vulnerability in Red Hat Build of Keycloak (RHBK) allows an authenticated user to bypass access controls in the Account Resources user lookup endpoint. By sending crafted requests, an attacker can enumerate and harvest personal identifiable information (PII) for all users within a realm, leading to broad profile-level information disclosure.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-37981"
},
{
"category": "external",
"summary": "RHBZ#2455326",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455326"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-37981",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-37981"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-37981",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-37981"
}
],
"release_date": "2026-05-19T10:19:46.684000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T11:23:18+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19596"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"Red Hat build of Keycloak 26.4.12"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: org.keycloak.authorization: Keycloak: Information disclosure via broken access control in user lookup endpoint"
},
{
"cve": "CVE-2026-37982",
"discovery_date": "2026-04-06T08:00:08.777921+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2455329"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak\u0027s WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim\u0027s account. This leads to unauthorized enrollment of a hardware-backed credential, enabling persistent account takeover.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: org.keycloak.authentication: Keycloak: Unauthorized account takeover via WebAuthn token replay",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability has a Moderate impact on Red Hat Build of Keycloak (RHBK). A flaw in Keycloak\u0027s WebAuthn flow allows an attacker who gains access to an execute-actions email link to replay tokens containing WEBAUTHN_REGISTER or WEBAUTHN_PASSWORDLESS_REGISTER. This enables unauthorized WebAuthn registration with the attacker\u0027s authenticator on the victim\u0027s account, leading to account takeover. Exploitation requires WebAuthn required actions to be enabled and the email link to be compromised.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"Red Hat build of Keycloak 26.4.12"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-37982"
},
{
"category": "external",
"summary": "RHBZ#2455329",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455329"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-37982",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-37982"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-37982",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-37982"
}
],
"release_date": "2026-05-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T11:23:18+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"Red Hat build of Keycloak 26.4.12"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19596"
},
{
"category": "workaround",
"details": "To mitigate this issue, consider disabling WebAuthn required actions in Keycloak if they are not essential for your deployment. This will prevent the vulnerable token replay mechanism from being exploited. Consult Keycloak documentation for specific configuration steps to disable WebAuthn required actions. Note that applying configuration changes may require a service restart and could impact functionality relying on WebAuthn registration.",
"product_ids": [
"Red Hat build of Keycloak 26.4.12"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"Red Hat build of Keycloak 26.4.12"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: org.keycloak.authentication: Keycloak: Unauthorized account takeover via WebAuthn token replay"
}
]
}
RHSA-2026:19597
Vulnerability from csaf_redhat - Published: 2026-05-20 11:23 - Updated: 2026-05-20 16:08Summary
Red Hat Security Advisory: Red Hat build of Keycloak 26.4.12 Images Security Update
Severity
Important
Notes
Topic: New images are available for Red Hat build of Keycloak 26.4.12 and Red Hat build of Keycloak 26.4.12 Operator, running on OpenShift Container Platform
Details: Red Hat build of Keycloak is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat build of Keycloak for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.
Red Hat build of Keycloak Operator for OpenShift simplifies deployment and management of Keycloak 26.4.12 clusters.
This erratum releases new images for Red Hat build of Keycloak 26.4.12 for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.
Security fixes:
* Denial of Service via specially crafted SAML input (CVE-2026-7307)
* Information Disclosure via evaluate-scopes Admin API (CVE-2026-37978)
* Unauthorized account takeover via WebAuthn token replay (CVE-2026-37982)
* Information disclosure via OIDC token introspection endpoint audience bypass (CVE-2026-37979)
* Access token disclosure and implicit flow bypass via forged client data (CVE-2026-7571)
* Session fixation in OIDC login flow that can lead to account takeover (CVE-2026-7507)
* Open redirect when using wildcard valid redirect URIs in Keycloak (CVE-2026-7504)
* Information disclosure via broken access control in user lookup endpoint (CVE-2026-37981)
* Unauthorized resource access and data modification via Insecure Direct Object Reference (CVE-2026-4630)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier (UUID) belonging to another Resource Server within the same realm, the client could bypass authorization checks. This allows the client to perform unauthorized GET, PUT, and DELETE operations on resources, leading to information disclosure and potential unauthorized modification or deletion of data.
6.8 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS) where the server becomes unavailable.
7.5 (High)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information within the domain or facilitating further attacks. This vulnerability specifically affects Keycloak clients configured with a wildcard (*) in the "Valid Redirect URIs" field and requires user interaction to be successfully exploited. The issue stems from a discrepancy in how Keycloak and the underlying Java URI implementation handle the user-info component of a URL. If a malicious redirect URL is constructed using multiple @ characters in the user-info section, Java's URI parser fails to extract the user-info, leaving only the raw authority field. Consequently, Keycloak's validation check fails to detect the malformed user-info, falls back to a wildcard comparison, and incorrectly permits the malicious redirect.
8.1 (High)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint—which processes session handles without adequate CSRF protection or cookie ownership validation—an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim's credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts.
7.5 (High)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Important
A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session restart, an attacker can obtain an access token that should not be available. This vulnerability can also lead to the exposure of these access tokens in server logs, proxy logs, and HTTP Referrer headers, resulting in sensitive information disclosure.
7.1 (High)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable information (PII) leakage, enabling unauthorized visibility into user identities and authorizations across the realm. Exploitation is possible remotely via network access to the Admin API.
4.9 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other resource servers, compromising the confidentiality of lightweight access tokens. This issue can be exploited remotely by any confidential client in the realm with valid credentials.
6.5 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally identifiable information (PII) for all realm users. By sending crafted requests with arbitrary usernames or email values, the endpoint returns full profile objects for unrelated users. This leads to broad profile-level information disclosure.
4.3 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim's account. This leads to unauthorized enrollment of a hardware-backed credential, enabling persistent account takeover.
6.8 (Medium)
Affected products
Fixed
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64 | — |
Vendor Fix
fix
Workaround
|
|
| Unresolved product id: 9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le | — |
Vendor Fix
fix
Workaround
|
Threats
Impact
Moderate
References
39 references
Acknowledgments
Anchels
Intapp
João Mendes
Duarte Antunes
Calif.io
Hacking Team
Evan Hendra
Herdiyan Adam Putra
XavLimSG
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "New images are available for Red Hat build of Keycloak 26.4.12 and Red Hat build of Keycloak 26.4.12 Operator, running on OpenShift Container Platform",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat build of Keycloak is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat build of Keycloak for OpenShift image provides an authentication server that you can use to log in centrally, log out, and register. You can also manage user accounts for web applications, mobile applications, and RESTful web services.\nRed Hat build of Keycloak Operator for OpenShift simplifies deployment and management of Keycloak 26.4.12 clusters.\n\nThis erratum releases new images for Red Hat build of Keycloak 26.4.12 for use within the OpenShift Container Platform cloud computing Platform-as-a-Service (PaaS) for on-premise or private cloud deployments, aligning with the standalone product release.\n\nSecurity fixes:\n* Denial of Service via specially crafted SAML input (CVE-2026-7307)\n* Information Disclosure via evaluate-scopes Admin API (CVE-2026-37978)\n* Unauthorized account takeover via WebAuthn token replay (CVE-2026-37982)\n* Information disclosure via OIDC token introspection endpoint audience bypass (CVE-2026-37979)\n* Access token disclosure and implicit flow bypass via forged client data (CVE-2026-7571)\n* Session fixation in OIDC login flow that can lead to account takeover (CVE-2026-7507)\n* Open redirect when using wildcard valid redirect URIs in Keycloak (CVE-2026-7504)\n* Information disclosure via broken access control in user lookup endpoint (CVE-2026-37981)\n* Unauthorized resource access and data modification via Insecure Direct Object Reference (CVE-2026-4630)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2026:19597",
"url": "https://access.redhat.com/errata/RHSA-2026:19597"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_19597.json"
}
],
"title": "Red Hat Security Advisory: Red Hat build of Keycloak 26.4.12 Images Security Update",
"tracking": {
"current_release_date": "2026-05-20T16:08:55+00:00",
"generator": {
"date": "2026-05-20T16:08:55+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.8.0"
}
},
"id": "RHSA-2026:19597",
"initial_release_date": "2026-05-20T11:23:59+00:00",
"revision_history": [
{
"date": "2026-05-20T11:23:59+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2026-05-20T11:23:59+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2026-05-20T16:08:55+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat build of Keycloak 26.4",
"product": {
"name": "Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:build_keycloak:26.4::el9"
}
}
}
],
"category": "product_family",
"name": "Red Hat build of Keycloak"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"product_id": "rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.4-17"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"product": {
"name": "rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"product_id": "rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-operator-bundle\u0026tag=26.4.12-1"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d?arch=amd64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.4-17"
}
}
}
],
"category": "architecture",
"name": "amd64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"product_id": "rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df?arch=arm64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.4-17"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c?arch=arm64\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.4-17"
}
}
}
],
"category": "architecture",
"name": "arm64"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"product_id": "rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db?arch=s390x\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.4-17"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72?arch=s390x\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.4-17"
}
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le",
"product": {
"name": "rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le",
"product_id": "rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272?arch=ppc64le\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9\u0026tag=26.4-17"
}
}
},
{
"category": "product_version",
"name": "rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"product": {
"name": "rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"product_id": "rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"product_identification_helper": {
"purl": "pkg:oci/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5?arch=ppc64le\u0026repository_url=registry.redhat.io/rhbk/keycloak-rhel9-operator\u0026tag=26.4-17"
}
}
}
],
"category": "architecture",
"name": "ppc64le"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64 as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64"
},
"product_reference": "rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64 as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64 as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64"
},
"product_reference": "rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64 as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64 as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"relates_to_product_reference": "9Base-RHBK-26.4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le as a component of Red Hat build of Keycloak 26.4",
"product_id": "9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
},
"product_reference": "rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le",
"relates_to_product_reference": "9Base-RHBK-26.4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-4630",
"cwe": {
"id": "CWE-639",
"name": "Authorization Bypass Through User-Controlled Key"
},
"discovery_date": "2026-03-23T08:10:40.944000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2450245"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource\u0027s unique identifier (UUID) belonging to another Resource Server within the same realm, the client could bypass authorization checks. This allows the client to perform unauthorized GET, PUT, and DELETE operations on resources, leading to information disclosure and potential unauthorized modification or deletion of data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Unauthorized resource access and data modification via Insecure Direct Object Reference",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-4630"
},
{
"category": "external",
"summary": "RHBZ#2450245",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2450245"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-4630",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4630"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-4630",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4630"
}
],
"release_date": "2026-04-15T12:34:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T11:23:59+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19597"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Unauthorized resource access and data modification via Insecure Direct Object Reference"
},
{
"acknowledgments": [
{
"names": [
"Anchels"
]
}
],
"cve": "CVE-2026-7307",
"cwe": {
"id": "CWE-1286",
"name": "Improper Validation of Syntactic Correctness of Input"
},
"discovery_date": "2026-05-12T16:20:11.587000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2476526"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS) where the server becomes unavailable.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Denial of Service via specially crafted SAML input",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is a High severity denial of service vulnerability in Keycloak. An unauthenticated attacker with network access can send specially crafted XML input to the SAML endpoint, causing high CPU utilization and worker thread exhaustion, which renders the Keycloak server unavailable. This directly impacts the availability of Keycloak instances where the SAML protocol is enabled.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-7307"
},
{
"category": "external",
"summary": "RHBZ#2476526",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2476526"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-7307",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7307"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-7307",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7307"
}
],
"release_date": "2026-05-19T10:42:34.560000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T11:23:59+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19597"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, restrict network access to the Keycloak SAML endpoint to trusted networks and clients. Implement firewall rules to limit inbound connections to the Keycloak service port (e.g., 8080) from untrusted sources. If the SAML protocol is not required for your deployment, consider disabling it to eliminate the attack surface. Applying these network restrictions or configuration changes may necessitate a restart or reload of the Keycloak service, which could temporarily affect its availability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "keycloak: Keycloak: Denial of Service via specially crafted SAML input"
},
{
"acknowledgments": [
{
"names": [
"Jo\u00e3o Mendes",
"Duarte Antunes"
],
"organization": "Intapp"
}
],
"cve": "CVE-2026-7504",
"cwe": {
"id": "CWE-601",
"name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
},
"discovery_date": "2026-04-30T14:46:59.812530+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2464128"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak\u0027s URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information within the domain or facilitating further attacks. This vulnerability specifically affects Keycloak clients configured with a wildcard (*) in the \"Valid Redirect URIs\" field and requires user interaction to be successfully exploited.\n\nThe issue stems from a discrepancy in how Keycloak and the underlying Java URI implementation handle the user-info component of a URL. If a malicious redirect URL is constructed using multiple @ characters in the user-info section, Java\u0027s URI parser fails to extract the user-info, leaving only the raw authority field. Consequently, Keycloak\u0027s validation check fails to detect the malformed user-info, falls back to a wildcard comparison, and incorrectly permits the malicious redirect.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak/keycloak-services: Open redirect when using wildcard valid redirect URIs in Keycloak",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This Moderate impact flaw in Keycloak allows for open redirection when a client is configured with a wildcard in its Valid Redirect URIs. An attacker could craft a malicious URL that, upon user interaction, bypasses validation and redirects to arbitrary locations within the domain, potentially leading to information disclosure or further attacks. This issue specifically affects deployments where clients utilize wildcard redirect URIs, requiring a specific configuration and user engagement for exploitation.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-7504"
},
{
"category": "external",
"summary": "RHBZ#2464128",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464128"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-7504",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7504"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-7504",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7504"
}
],
"release_date": "2026-05-19T10:52:12.777000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T11:23:59+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19597"
},
{
"category": "workaround",
"details": "To mitigate this vulnerability, Red Hat recommends avoiding the use of wildcard characters in the \"Valid Redirect URIs\" field for clients within Keycloak. Instead, explicitly list all allowed redirect URIs. Review all client configurations to ensure that wildcards are not used unless absolutely necessary, and if used, ensure that the client application is robust against open redirect vulnerabilities. Changes to client configurations in Keycloak may require a restart or reload of the Keycloak service to take effect, which could impact active user sessions.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "org.keycloak/keycloak-services: Open redirect when using wildcard valid redirect URIs in Keycloak"
},
{
"acknowledgments": [
{
"names": [
"Hacking Team"
],
"organization": "Calif.io"
}
],
"cve": "CVE-2026-7507",
"cwe": {
"id": "CWE-290",
"name": "Authentication Bypass by Spoofing"
},
"discovery_date": "2026-04-30T14:57:56.441000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2464145"
}
],
"notes": [
{
"category": "description",
"text": "A session fixation vulnerability was found in Keycloak\u0027s login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint\u2014which processes session handles without adequate CSRF protection or cookie ownership validation\u2014an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim\u0027s credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "org.keycloak/keycloak-services: Session fixation in OIDC login flow that can lead to account takeover",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is a Critical session fixation vulnerability in Keycloak\u0027s login-actions endpoints. An unauthenticated attacker can pre-create an authentication session and, by exploiting a lack of CSRF token or cookie ownership checks on the `/login-actions/restart` endpoint, reset the flow state to achieve silent Single Sign-On (SSO). This allows for full takeover of the master-realm admin account in default Keycloak deployments.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-7507"
},
{
"category": "external",
"summary": "RHBZ#2464145",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464145"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-7507",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7507"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-7507",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7507"
}
],
"release_date": "2026-05-19T10:51:31.418000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T11:23:59+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19597"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "org.keycloak/keycloak-services: Session fixation in OIDC login flow that can lead to account takeover"
},
{
"acknowledgments": [
{
"names": [
"Evan Hendra"
]
}
],
"cve": "CVE-2026-7571",
"cwe": {
"id": "CWE-472",
"name": "External Control of Assumed-Immutable Web Parameter"
},
"discovery_date": "2026-04-30T22:22:41.973000+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2464263"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session restart, an attacker can obtain an access token that should not be available. This vulnerability can also lead to the exposure of these access tokens in server logs, proxy logs, and HTTP Referrer headers, resulting in sensitive information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Access token disclosure and implicit flow bypass via forged client data",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This High severity flaw in Keycloak allows a low-privilege user, with knowledge of user credentials and client ID, to bypass the `implicitFlowEnabled=false` setting. By forging client data during a session restart, an attacker can obtain an implicit access token, potentially exposing it in URL query strings if `response_mode=query` is also forged. This bypass undermines a critical security control intended to prevent implicit flow, leading to unauthorized access to sensitive tokens.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-7571"
},
{
"category": "external",
"summary": "RHBZ#2464263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464263"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-7571",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-7571"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-7571",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7571"
}
],
"release_date": "2026-05-19T10:50:49.394000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T11:23:59+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19597"
},
{
"category": "workaround",
"details": "To mitigate this issue, restrict network access to the Keycloak authentication endpoint to trusted clients and networks. Implement firewall rules to control inbound connections to the Keycloak service ports, thereby reducing the attack surface and limiting who can initiate authentication flows and potentially exploit the implicit flow bypass. If the Keycloak service is reloaded or restarted, ensure these network restrictions remain in effect.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Access token disclosure and implicit flow bypass via forged client data"
},
{
"cve": "CVE-2026-37978",
"cwe": {
"id": "CWE-639",
"name": "Authorization Bypass Through User-Controlled Key"
},
"discovery_date": "2026-04-06T07:56:31.980322+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2455327"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A low-privilege administrator with the \u0027view-clients\u0027 role can exploit this by invoking the \u0027evaluate-scopes\u0027 Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable information (PII) leakage, enabling unauthorized visibility into user identities and authorizations across the realm. Exploitation is possible remotely via network access to the Admin API.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: org.keycloak.services: Keycloak: Information Disclosure via evaluate-scopes Admin API",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This is a Moderate impact vulnerability affecting Red Hat Build of Keycloak (RHBK). A low-privilege administrator with the `view-clients` role can exploit the `evaluate-scopes` Admin API endpoints to disclose sensitive user profile and role data. This allows unauthorized visibility into user identities and authorizations across the realm, requiring network access to the Admin API for exploitation.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-37978"
},
{
"category": "external",
"summary": "RHBZ#2455327",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455327"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-37978",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-37978"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-37978",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-37978"
}
],
"release_date": "2026-05-19T10:43:47.080000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T11:23:59+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19597"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: org.keycloak.services: Keycloak: Information Disclosure via evaluate-scopes Admin API"
},
{
"acknowledgments": [
{
"names": [
"Herdiyan Adam Putra"
]
}
],
"cve": "CVE-2026-37979",
"discovery_date": "2026-04-06T07:57:53.307889+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2455328"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. This access control vulnerability in Keycloak\u0027s OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other resource servers, compromising the confidentiality of lightweight access tokens. This issue can be exploited remotely by any confidential client in the realm with valid credentials.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: Keycloak: Information disclosure via OIDC token introspection endpoint audience bypass",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Moderate impact: Keycloak\u0027s OIDC token introspection endpoint fails to enforce audience validation, allowing a confidential client to retrieve sensitive token claims intended for a different audience. This compromises the confidentiality of lightweight tokens within Red Hat Build of Keycloak.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-37979"
},
{
"category": "external",
"summary": "RHBZ#2455328",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455328"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-37979",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-37979"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-37979",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-37979"
}
],
"release_date": "2026-05-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T11:23:59+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19597"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: Keycloak: Information disclosure via OIDC token introspection endpoint audience bypass"
},
{
"acknowledgments": [
{
"names": [
"XavLimSG"
]
}
],
"cve": "CVE-2026-37981",
"cwe": {
"id": "CWE-1220",
"name": "Insufficient Granularity of Access Control"
},
"discovery_date": "2026-04-06T07:53:20.150776+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2455326"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally identifiable information (PII) for all realm users. By sending crafted requests with arbitrary usernames or email values, the endpoint returns full profile objects for unrelated users. This leads to broad profile-level information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: org.keycloak.authorization: Keycloak: Information disclosure via broken access control in user lookup endpoint",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Moderate: This vulnerability in Red Hat Build of Keycloak (RHBK) allows an authenticated user to bypass access controls in the Account Resources user lookup endpoint. By sending crafted requests, an attacker can enumerate and harvest personal identifiable information (PII) for all users within a realm, leading to broad profile-level information disclosure.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-37981"
},
{
"category": "external",
"summary": "RHBZ#2455326",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455326"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-37981",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-37981"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-37981",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-37981"
}
],
"release_date": "2026-05-19T10:19:46.684000+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T11:23:59+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19597"
},
{
"category": "workaround",
"details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: org.keycloak.authorization: Keycloak: Information disclosure via broken access control in user lookup endpoint"
},
{
"cve": "CVE-2026-37982",
"discovery_date": "2026-04-06T08:00:08.777921+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "2455329"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak\u0027s WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim\u0027s account. This leads to unauthorized enrollment of a hardware-backed credential, enabling persistent account takeover.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "keycloak: org.keycloak.authentication: Keycloak: Unauthorized account takeover via WebAuthn token replay",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "This vulnerability has a Moderate impact on Red Hat Build of Keycloak (RHBK). A flaw in Keycloak\u0027s WebAuthn flow allows an attacker who gains access to an execute-actions email link to replay tokens containing WEBAUTHN_REGISTER or WEBAUTHN_PASSWORDLESS_REGISTER. This enables unauthorized WebAuthn registration with the attacker\u0027s authenticator on the victim\u0027s account, leading to account takeover. Exploitation requires WebAuthn required actions to be enabled and the email link to be compromised.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2026-37982"
},
{
"category": "external",
"summary": "RHBZ#2455329",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455329"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2026-37982",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-37982"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-37982",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-37982"
}
],
"release_date": "2026-05-19T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2026-05-20T11:23:59+00:00",
"details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2026:19597"
},
{
"category": "workaround",
"details": "To mitigate this issue, consider disabling WebAuthn required actions in Keycloak if they are not essential for your deployment. This will prevent the vulnerable token replay mechanism from being exploited. Consult Keycloak documentation for specific configuration steps to disable WebAuthn required actions. Note that applying configuration changes may require a service restart and could impact functionality relying on WebAuthn registration.",
"product_ids": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.8,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"products": [
"9Base-RHBK-26.4:rhbk/keycloak-operator-bundle@sha256:15286c44c4003e787b0bdf9a0bbc5083a2f2312eaf29ccd0c6943232ff52d729_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:2a81955051fb0975bfcb77d25ed64c84038d3c7293f910aeb88f9241be531f9d_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d8185614aa82117680351c710a5d7b80703a9d450dd02a7becfd1405cbc5ecd5_ppc64le",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:d915c75947df63aed99031401dbf570181dba3c5a484eb88438a27892eb7aa72_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9-operator@sha256:f80c9568ff4b3cc086b7107c8e68db5f548c2b51a01dd8c79d0c9705574a180c_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:554cd90241225b6d64d0e7ada9a8ab50ae2054efdb2f5b2cbdb721475ea296df_arm64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:68b61a98fcdfd46a166cabe097d609d65fd51181860f9ec7f691bbe5d2a986db_s390x",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:81773a34d38a8df4b07344fe4ba5670d18684b3579c9d2cf8d0690bf5ec5ab40_amd64",
"9Base-RHBK-26.4:rhbk/keycloak-rhel9@sha256:fa7342d82f080bfe8ffaaf5ba204b98dc435897a388b1501d23a1541fe7f1272_ppc64le"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "keycloak: org.keycloak.authentication: Keycloak: Unauthorized account takeover via WebAuthn token replay"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…