Threats Tagged 'cve-2026-7500'

Red Hat build of Keycloak 26.6.3 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. Security fixes: * Security restriction bypass allows unauthorized ROPC token acquisition (CVE-2026-9792) * Privilege escalation due to oversized subject_token JWT (CVE-2026-9704) * Denial of Service via malformed LDAP password policy response (CVE-2026-9801) * Denial of Service via malformed Authorization header (CVE-2026-9803) * Organization Data Leak After Feature Disabled in Keycloak (CVE-2026-9791) * Information disclosure via SAML ECP endpoint (CVE-2026-9794) * Unauthorized account access via replayed refresh tokens after cluster restart (CVE-2026-9802) * Cross-Session Email Verification Proof Not Bound to Upstream Identity in First-Broker-Login (CVE-2026-9087) * Information disclosure due to user profile permission bypass (CVE-2026-9088) * Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation (CVE-2026-8830) * Improper Access Control on Keycloak Server when the account Account API feature is disabled (CVE-2026-7500) * Security flaw in org.keycloak/keycloak-services (CVE-2026-8922) * Information disclosure via CORS header injection due to unvalidated JWT azp claim (CVE-2026-37977) * Server-Side Request Forgery via OIDC token endpoint manipulation (CVE-2026-4874)

When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.