CyberSec.Space Logo
返回 CVE 瀏覽器

CVE-2026-7500

MEDIUM
5.4
CVSS Severity Score
EPSS Score0.0420%
EPSS Percentile2.48th
Published2026年4月30日
Last Modified2026年6月10日

Vulnerability Description

When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.

Affected Platforms (CPE)

📦
Redhat

Build Of Keycloak

All versions

References & Advisories

🔗 https://access.redhat.com/errata/RHSA-2026:25097
🔗 https://access.redhat.com/errata/RHSA-2026:25098
🔗 https://access.redhat.com/security/cve/CVE-2026-7500
🔗 https://bugzilla.redhat.com/show_bug.cgi?id=2464126

相關漏洞威脅

CVE-2026-4638910.0

UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Ident...

CVE-2026-2018210.0

May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after ...

CVE-2026-2012710.0

A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN M...

CVE-2026-4669510.0

Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within the...