RHSA-2026:19596HighCVSS 8.1

Red Hat Security Advisory: Red Hat build of Keycloak 26.4.12 Security Update

Published
May 20, 2026
Last Modified
July 2, 2026

🔗 CVE IDs covered (10)

📋 Description

CVE-2026-4366 — keycloak-services: Blind Server-Side Request Forgery (SSRF) via HTTP Redirect Handling in Keycloak CVE-2026-4630 — keycloak: Keycloak: Unauthorized resource access and data modification via Insecure Direct Object Reference CVE-2026-7307 — keycloak: Keycloak: Denial of Service via specially crafted SAML input CVE-2026-7504 — org.keycloak/keycloak-services: Open redirect when using wildcard valid redirect URIs in Keycloak CVE-2026-7507 — org.keycloak/keycloak-services: Session fixation in OIDC login flow that can lead to account takeover CVE-2026-7571 — keycloak: Keycloak: Access token disclosure and implicit flow bypass via forged client data CVE-2026-37978 — keycloak: org.keycloak.services: Keycloak: Information Disclosure via evaluate-scopes Admin API CVE-2026-37979 — keycloak: Keycloak: Information disclosure via OIDC token introspection endpoint audience bypass CVE-2026-37981 — keycloak: org.keycloak.authorization: Keycloak: Information disclosure via broken access control in user lookup endpoint CVE-2026-37982 — keycloak: org.keycloak.authentication: Keycloak: Unauthorized account takeover via WebAuthn token replay

🔗 References (3)