This advisory covers multiple security vulnerabilities in Red Hat build of Keycloak 26.4.12, a standalone authentication and single sign-on server. The issues include denial of service (CVE-2026-7307), information disclosure via the evaluate-scopes Admin API (CVE-2026-37978), unauthorized account takeover through WebAuthn token replay (CVE-2026-37982), OIDC token introspection audience bypass (CVE-2026-37979), access token disclosure and implicit flow bypass via forged client data (CVE-2026-7571), session fixation in the OIDC login flow (CVE-2026-7507), open redirect vulnerabilities with wildcard redirect URIs (CVE-2026-7504), information disclosure due to broken access control in the user lookup endpoint (CVE-2026-37981), and unauthorized resource access and data modification via insecure direct object reference (CVE-2026-4630). These vulnerabilities affect the security of authentication flows, token handling, and access control mechanisms within Keycloak 26.4.12.

Successful exploitation of these vulnerabilities can lead to denial of service conditions, unauthorized disclosure of sensitive information, account takeover, bypass of authentication and authorization controls, open redirect attacks, and unauthorized access or modification of protected resources. This compromises the confidentiality, integrity, and availability of applications relying on Keycloak for authentication and single sign-on.

Red Hat has issued a security advisory (RHSA-2026:19596) for Keycloak 26.4.12 addressing these vulnerabilities. Users should back up their existing installations, including applications, configuration files, and databases, before applying the update. Applying the official Red Hat update for Keycloak 26.4.12 is the recommended remediation. Patch status is not explicitly stated in the advisory text provided; users should consult the Red Hat Customer Portal advisory RHSA-2026:19596 for the latest patch availability and installation instructions.