RHSA-2026:19594

Vulnerability from csaf_redhat - Published: 2026-05-20 11:23 - Updated: 2026-05-20 16:08
Summary
Red Hat Security Advisory: Red Hat build of Keycloak 26.2.16 Security Update
Severity
Important
Notes
Topic: New Red Hat build of Keycloak 26.2.16 packages are available from the Customer Portal
Details: Red Hat build of Keycloak 26.2.16 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. Security fixes: * Denial of Service via specially crafted SAML input (CVE-2026-7307) * Session fixation in OIDC login flow that can lead to account takeover (CVE-2026-7507) * Open redirect when using wildcard valid redirect URIs in Keycloak (CVE-2026-7504)
Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
CVE-2026-7307

A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS) where the server becomes unavailable.

7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-1286 - Improper Validation of Syntactic Correctness of Input
Affected products
Product Identifier Version Remediation
Red Hat build of Keycloak 26.2.16
Red Hat / Red Hat build of Keycloak
 cpe:/a:redhat:build_keycloak:26.2::el9
Vendor Fix fix
Workaround
Threats
Impact Important
CVE-2026-7504

A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information within the domain or facilitating further attacks. This vulnerability specifically affects Keycloak clients configured with a wildcard (*) in the "Valid Redirect URIs" field and requires user interaction to be successfully exploited. The issue stems from a discrepancy in how Keycloak and the underlying Java URI implementation handle the user-info component of a URL. If a malicious redirect URL is constructed using multiple @ characters in the user-info section, Java's URI parser fails to extract the user-info, leaving only the raw authority field. Consequently, Keycloak's validation check fails to detect the malformed user-info, falls back to a wildcard comparison, and incorrectly permits the malicious redirect.

8.1 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
Affected products
Product Identifier Version Remediation
Red Hat build of Keycloak 26.2.16
Red Hat / Red Hat build of Keycloak
 cpe:/a:redhat:build_keycloak:26.2::el9
Vendor Fix fix
Workaround
Threats
Impact Important
CVE-2026-7507

A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint—which processes session handles without adequate CSRF protection or cookie ownership validation—an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim's credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts.

7.5 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE-290 - Authentication Bypass by Spoofing
Affected products
Product Identifier Version Remediation
Red Hat build of Keycloak 26.2.16
Red Hat / Red Hat build of Keycloak
 cpe:/a:redhat:build_keycloak:26.2::el9
Vendor Fix fix
Workaround
Threats
Impact Important
References
Acknowledgments
Anchels
Intapp João Mendes Duarte Antunes
Calif.io Hacking Team
To clipboard 

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "New Red Hat build of Keycloak 26.2.16 packages are available from the Customer Portal",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat build of Keycloak 26.2.16 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.\n\nSecurity fixes:\n* Denial of Service via specially crafted SAML input (CVE-2026-7307)\n* Session fixation in OIDC login flow that can lead to account takeover (CVE-2026-7507)\n* Open redirect when using wildcard valid redirect URIs in Keycloak (CVE-2026-7504)",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2026:19594",
        "url": "https://access.redhat.com/errata/RHSA-2026:19594"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2026/rhsa-2026_19594.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat build of Keycloak 26.2.16 Security Update",
    "tracking": {
      "current_release_date": "2026-05-20T16:08:53+00:00",
      "generator": {
        "date": "2026-05-20T16:08:53+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.8.0"
        }
      },
      "id": "RHSA-2026:19594",
      "initial_release_date": "2026-05-20T11:23:33+00:00",
      "revision_history": [
        {
          "date": "2026-05-20T11:23:33+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2026-05-20T11:23:33+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-05-20T16:08:53+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat build of Keycloak 26.2.16",
                "product": {
                  "name": "Red Hat build of Keycloak 26.2.16",
                  "product_id": "Red Hat build of Keycloak 26.2.16",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:build_keycloak:26.2::el9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat build of Keycloak"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Anchels"
          ]
        }
      ],
      "cve": "CVE-2026-7307",
      "cwe": {
        "id": "CWE-1286",
        "name": "Improper Validation of Syntactic Correctness of Input"
      },
      "discovery_date": "2026-05-12T16:20:11.587000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2476526"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS) where the server becomes unavailable.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "keycloak: Keycloak: Denial of Service via specially crafted SAML input",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This is a High severity denial of service vulnerability in Keycloak. An unauthenticated attacker with network access can send specially crafted XML input to the SAML endpoint, causing high CPU utilization and worker thread exhaustion, which renders the Keycloak server unavailable. This directly impacts the availability of Keycloak instances where the SAML protocol is enabled.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Keycloak 26.2.16"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-7307"
        },
        {
          "category": "external",
          "summary": "RHBZ#2476526",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2476526"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-7307",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-7307"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-7307",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7307"
        }
      ],
      "release_date": "2026-05-19T10:42:34.560000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-20T11:23:33+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
          "product_ids": [
            "Red Hat build of Keycloak 26.2.16"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:19594"
        },
        {
          "category": "workaround",
          "details": "To mitigate this vulnerability, restrict network access to the Keycloak SAML endpoint to trusted networks and clients. Implement firewall rules to limit inbound connections to the Keycloak service port (e.g., 8080) from untrusted sources. If the SAML protocol is not required for your deployment, consider disabling it to eliminate the attack surface. Applying these network restrictions or configuration changes may necessitate a restart or reload of the Keycloak service, which could temporarily affect its availability.",
          "product_ids": [
            "Red Hat build of Keycloak 26.2.16"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Keycloak 26.2.16"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "keycloak: Keycloak: Denial of Service via specially crafted SAML input"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Jo\u00e3o Mendes",
            "Duarte Antunes"
          ],
          "organization": "Intapp"
        }
      ],
      "cve": "CVE-2026-7504",
      "cwe": {
        "id": "CWE-601",
        "name": "URL Redirection to Untrusted Site (\u0027Open Redirect\u0027)"
      },
      "discovery_date": "2026-04-30T14:46:59.812530+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2464128"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Keycloak\u0027s URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information within the domain or facilitating further attacks. This vulnerability specifically affects Keycloak clients configured with a wildcard (*) in the \"Valid Redirect URIs\" field and requires user interaction to be successfully exploited.\n\nThe issue stems from a discrepancy in how Keycloak and the underlying Java URI implementation handle the user-info component of a URL. If a malicious redirect URL is constructed using multiple @ characters in the user-info section, Java\u0027s URI parser fails to extract the user-info, leaving only the raw authority field. Consequently, Keycloak\u0027s validation check fails to detect the malformed user-info, falls back to a wildcard comparison, and incorrectly permits the malicious redirect.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.keycloak/keycloak-services: Open redirect when using wildcard valid redirect URIs in Keycloak",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This Moderate impact flaw in Keycloak allows for open redirection when a client is configured with a wildcard in its Valid Redirect URIs. An attacker could craft a malicious URL that, upon user interaction, bypasses validation and redirects to arbitrary locations within the domain, potentially leading to information disclosure or further attacks. This issue specifically affects deployments where clients utilize wildcard redirect URIs, requiring a specific configuration and user engagement for exploitation.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Keycloak 26.2.16"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-7504"
        },
        {
          "category": "external",
          "summary": "RHBZ#2464128",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464128"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-7504",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-7504"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-7504",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7504"
        }
      ],
      "release_date": "2026-05-19T10:52:12.777000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-20T11:23:33+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
          "product_ids": [
            "Red Hat build of Keycloak 26.2.16"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:19594"
        },
        {
          "category": "workaround",
          "details": "To mitigate this vulnerability, Red Hat recommends avoiding the use of wildcard characters in the \"Valid Redirect URIs\" field for clients within Keycloak. Instead, explicitly list all allowed redirect URIs. Review all client configurations to ensure that wildcards are not used unless absolutely necessary, and if used, ensure that the client application is robust against open redirect vulnerabilities. Changes to client configurations in Keycloak may require a restart or reload of the Keycloak service to take effect, which could impact active user sessions.",
          "product_ids": [
            "Red Hat build of Keycloak 26.2.16"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Keycloak 26.2.16"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "org.keycloak/keycloak-services: Open redirect when using wildcard valid redirect URIs in Keycloak"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Hacking Team"
          ],
          "organization": "Calif.io"
        }
      ],
      "cve": "CVE-2026-7507",
      "cwe": {
        "id": "CWE-290",
        "name": "Authentication Bypass by Spoofing"
      },
      "discovery_date": "2026-04-30T14:57:56.441000+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "2464145"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A session fixation vulnerability was found in Keycloak\u0027s login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint\u2014which processes session handles without adequate CSRF protection or cookie ownership validation\u2014an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim\u0027s credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "org.keycloak/keycloak-services: Session fixation in OIDC login flow that can lead to account takeover",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This is a Critical session fixation vulnerability in Keycloak\u0027s login-actions endpoints. An unauthenticated attacker can pre-create an authentication session and, by exploiting a lack of CSRF token or cookie ownership checks on the `/login-actions/restart` endpoint, reset the flow state to achieve silent Single Sign-On (SSO). This allows for full takeover of the master-realm admin account in default Keycloak deployments.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat build of Keycloak 26.2.16"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2026-7507"
        },
        {
          "category": "external",
          "summary": "RHBZ#2464145",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464145"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2026-7507",
          "url": "https://www.cve.org/CVERecord?id=CVE-2026-7507"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2026-7507",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7507"
        }
      ],
      "release_date": "2026-05-19T10:51:31.418000+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2026-05-20T11:23:33+00:00",
          "details": "Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.",
          "product_ids": [
            "Red Hat build of Keycloak 26.2.16"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2026:19594"
        },
        {
          "category": "workaround",
          "details": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
          "product_ids": [
            "Red Hat build of Keycloak 26.2.16"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "Red Hat build of Keycloak 26.2.16"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "org.keycloak/keycloak-services: Session fixation in OIDC login flow that can lead to account takeover"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.