GHSA-hm32-hfmw-rhvgMediumCVSS 5.4

Keycloak has a Forced Browsing issue

Published
April 30, 2026
Last Modified
June 10, 2026

🔗 CVE IDs covered (1)

📋 Description

When Keycloak is started with --features-disabled=account,account-api, the Account REST API is only partially disabled. Five endpoints under the versioned path /account/v1alpha1 remain fully functional — including both read and write operations — because they lack the checkAccountApiEnabled() gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.

🎯 Affected products1

  • maven/org.keycloak:keycloak-services:<= 26.6.1

🔗 References (7)