CVE-2026-7500: Direct Request ('Forced Browsing') in Red Hat Red Hat build of Keycloak 26.6
When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.
AI Analysis
Technical Summary
The vulnerability arises because the Account REST API is only partially disabled when Keycloak is started with the --features-disabled=account,account-api option. Specifically, five endpoints under the versioned path /account/v1alpha1 do not implement the checkAccountApiEnabled() gate that blocks other endpoints in the same service. As a result, these endpoints remain fully functional, including read and write operations, for users who have permissions to use the API. This constitutes an improper access control issue in the Red Hat build of Keycloak 26.6.3.
Potential Impact
An attacker or user with permissions to use the API can access and perform operations on five account-related endpoints that should have been disabled. This bypasses the intended feature disablement controls, potentially exposing sensitive account functionality. The CVSS score of 5.4 (medium severity) reflects limited confidentiality and integrity impact without denial of service or privilege escalation. There are no known exploits in the wild.
Mitigation Recommendations
The vendor advisory does not explicitly state a patch or fix available for this specific CVE at the time of publication. Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-7500 for current remediation guidance. Until a fix is available, avoid starting Keycloak with the --features-disabled=account,account-api option if relying on full disablement of the Account API, or restrict API user permissions carefully to mitigate risk.
CVE-2026-7500: Direct Request ('Forced Browsing') in Red Hat Red Hat build of Keycloak 26.6
Description
When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.
CVSS v3.1
Score 5.4medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises because the Account REST API is only partially disabled when Keycloak is started with the --features-disabled=account,account-api option. Specifically, five endpoints under the versioned path /account/v1alpha1 do not implement the checkAccountApiEnabled() gate that blocks other endpoints in the same service. As a result, these endpoints remain fully functional, including read and write operations, for users who have permissions to use the API. This constitutes an improper access control issue in the Red Hat build of Keycloak 26.6.3.
Potential Impact
An attacker or user with permissions to use the API can access and perform operations on five account-related endpoints that should have been disabled. This bypasses the intended feature disablement controls, potentially exposing sensitive account functionality. The CVSS score of 5.4 (medium severity) reflects limited confidentiality and integrity impact without denial of service or privilege escalation. There are no known exploits in the wild.
Mitigation Recommendations
The vendor advisory does not explicitly state a patch or fix available for this specific CVE at the time of publication. Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-7500 for current remediation guidance. Until a fix is available, avoid starting Keycloak with the --features-disabled=account,account-api option if relying on full disablement of the Account API, or restrict API user permissions carefully to mitigate risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-04-30T14:32:50.005Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-7500","vendor":"Red Hat"}]
Threat ID: 69f37003cbff5d86102de4f3
Added to database: 4/30/2026, 3:06:43 PM
Last enriched: 6/10/2026, 6:33:47 PM
Last updated: 6/14/2026, 3:09:52 PM
Views: 97
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.