CyberSec.Space Logo
Back to CVE Browser

CVE-2026-7500

MEDIUM
5.4
CVSS Severity Score
EPSS Score0.0420%
EPSS Percentile2.48th
PublishedApr 30, 2026
Last ModifiedJun 10, 2026

Vulnerability Description

When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional β€” including both read and write operations β€” because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.

Affected Platforms (CPE)

πŸ“¦
Redhat

Build Of Keycloak

All versions

References & Advisories

πŸ”— https://access.redhat.com/errata/RHSA-2026:25097
πŸ”— https://access.redhat.com/errata/RHSA-2026:25098
πŸ”— https://access.redhat.com/security/cve/CVE-2026-7500
πŸ”— https://bugzilla.redhat.com/show_bug.cgi?id=2464126

Related Vulnerabilities

CVE-2026-4638910.0

UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Ident...

CVE-2026-2012710.0

A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN M...

CVE-2026-4077210.0

Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions.

CVE-2026-2018210.0

May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after ...