Home

Description

A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other resource servers, compromising the confidentiality of lightweight access tokens. This issue can be exploited remotely by any confidential client in the realm with valid credentials.

PUBLISHED Reserved 2026-04-06 | Published 2026-05-19 | Updated 2026-05-20 | Assigner redhat




MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Product status

Default status
affected

26.4.12-1 (rpm) before *
unaffected

Default status
affected

26.4-17 (rpm) before *
unaffected

Default status
affected

26.4-17 (rpm) before *
unaffected

Default status
unaffected

Timeline

2026-04-06:Reported to Red Hat.
2026-05-19:Made public.

Credits

Red Hat would like to thank Herdiyan Adam Putra for reporting this issue.

References

access.redhat.com/errata/RHSA-2026:19596 (RHSA-2026:19596) vendor-advisory

access.redhat.com/errata/RHSA-2026:19597 (RHSA-2026:19597) vendor-advisory

access.redhat.com/security/cve/CVE-2026-37979 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2455328 (RHBZ#2455328) issue-tracking

cve.org (CVE-2026-37979)

nvd.nist.gov (CVE-2026-37979)

Download JSON