GHSA-hm32-hfmw-rhvgMediumCVSS 5.4
Keycloak has a Forced Browsing issue
🔗 CVE IDs covered (1)
📋 Description
When Keycloak is started with --features-disabled=account,account-api, the Account REST API is only partially disabled. Five endpoints under the versioned path /account/v1alpha1 remain fully functional — including both read and write operations — because they lack the checkAccountApiEnabled() gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.
🎯 Affected products1
- maven/org.keycloak:keycloak-services:<= 26.6.1
🔗 References (7)
- https://nvd.nist.gov/vuln/detail/CVE-2026-7500
- https://access.redhat.com/security/cve/CVE-2026-7500
- https://bugzilla.redhat.com/show_bug.cgi?id=2464126
- https://github.com/keycloak/keycloak/issues/48709
- https://github.com/keycloak/keycloak/pull/48715
- https://access.redhat.com/errata/RHSA-2026:25098
- https://github.com/advisories/GHSA-hm32-hfmw-rhvg