CVE-2026-7500: Direct Request ('Forced Browsing') in Red Hat Red Hat Build of Keycloak
When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.
AI Analysis
Technical Summary
When Red Hat Build of Keycloak is started with the --features-disabled=account,account-api option, the Account REST API is only partially disabled. Specifically, five endpoints under the versioned path /account/v1alpha1 remain fully functional, including both read and write operations. These endpoints lack the checkAccountApiEnabled() gate that correctly blocks four other endpoints in the same REST service class. Access to these endpoints requires user permissions. This results in a direct request (forced browsing) vulnerability allowing access to partially disabled API endpoints.
Potential Impact
The vulnerability allows users with permissions to access and perform read and write operations on five account-related API endpoints that should have been disabled. This could lead to unauthorized access or modification of account-related data within the scope of the user's permissions. The overall impact is limited by the requirement that the user must already have permissions to use the API. There is no indication of privilege escalation or unauthenticated access.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://access.redhat.com/security/cve/CVE-2026-7500 for current remediation guidance. Until an official fix is released, users should avoid starting Keycloak with the --features-disabled=account,account-api option if they require full disabling of the Account REST API. Review and restrict user permissions to minimize exposure to these endpoints.
CVE-2026-7500: Direct Request ('Forced Browsing') in Red Hat Red Hat Build of Keycloak
Description
When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
When Red Hat Build of Keycloak is started with the --features-disabled=account,account-api option, the Account REST API is only partially disabled. Specifically, five endpoints under the versioned path /account/v1alpha1 remain fully functional, including both read and write operations. These endpoints lack the checkAccountApiEnabled() gate that correctly blocks four other endpoints in the same REST service class. Access to these endpoints requires user permissions. This results in a direct request (forced browsing) vulnerability allowing access to partially disabled API endpoints.
Potential Impact
The vulnerability allows users with permissions to access and perform read and write operations on five account-related API endpoints that should have been disabled. This could lead to unauthorized access or modification of account-related data within the scope of the user's permissions. The overall impact is limited by the requirement that the user must already have permissions to use the API. There is no indication of privilege escalation or unauthenticated access.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://access.redhat.com/security/cve/CVE-2026-7500 for current remediation guidance. Until an official fix is released, users should avoid starting Keycloak with the --features-disabled=account,account-api option if they require full disabling of the Account REST API. Review and restrict user permissions to minimize exposure to these endpoints.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-04-30T14:32:50.005Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-7500","vendor":"Red Hat"}]
Threat ID: 69f37003cbff5d86102de4f3
Added to database: 4/30/2026, 3:06:43 PM
Last enriched: 4/30/2026, 3:21:20 PM
Last updated: 4/30/2026, 4:21:15 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.