Home

Description

A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session restart, an attacker can obtain an access token that should not be available. This vulnerability can also lead to the exposure of these access tokens in server logs, proxy logs, and HTTP Referrer headers, resulting in sensitive information disclosure.

PUBLISHED Reserved 2026-04-30 | Published 2026-05-19 | Updated 2026-05-20 | Assigner redhat




HIGH: 7.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

Problem types

External Control of Assumed-Immutable Web Parameter

Product status

Default status
affected

26.4.12-1 (rpm) before *
unaffected

Default status
affected

26.4-17 (rpm) before *
unaffected

Default status
affected

26.4-17 (rpm) before *
unaffected

Default status
unaffected

Timeline

2026-04-30:Reported to Red Hat.
2026-05-19:Made public.

Credits

Red Hat would like to thank Evan Hendra for reporting this issue.

References

access.redhat.com/errata/RHSA-2026:19596 (RHSA-2026:19596) vendor-advisory

access.redhat.com/errata/RHSA-2026:19597 (RHSA-2026:19597) vendor-advisory

access.redhat.com/security/cve/CVE-2026-7571 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2464263 (RHBZ#2464263) issue-tracking

cve.org (CVE-2026-7571)

nvd.nist.gov (CVE-2026-7571)

Download JSON