Keycloak has a Forced Browsing issue

GHSA-hm32-hfmw-rhvg · CVE-2026-7500

Published Apr 30, 2026 · Modified Jun 11, 2026

Description

When Keycloak is started with --features-disabled=account,account-api, the Account REST API is only partially disabled. Five endpoints under the versioned path /account/v1alpha1 remain fully functional — including both read and write operations — because they lack the checkAccountApiEnabled() gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-7500
WEB https://github.com/keycloak/keycloak/issues/48709
WEB https://github.com/keycloak/keycloak/pull/48715
WEB https://access.redhat.com/errata/RHSA-2026:25097
WEB https://access.redhat.com/errata/RHSA-2026:25098
WEB https://access.redhat.com/security/cve/CVE-2026-7500
WEB https://bugzilla.redhat.com/show_bug.cgi?id=2464126
PACKAGE https://github.com/keycloak/keycloak

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes