CVE-2026-37979 - Vulnerability Details

- Keycloak: keycloak: information disclosure via oidc token introspection endpoint audience bypass

Description

A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other resource servers, compromising the confidentiality of lightweight access tokens. This issue can be exploited remotely by any confidential client in the realm with valid credentials.

Published: 2026-05-19

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability exists in Keycloak's OIDC token introspection endpoint, where a confidential client can bypass the audience restrictions. The flaw enables the retrieval of token claims that are intended for other resource servers, thereby leaking sensitive information. As a result, an attacker can compromise the confidentiality of lightweight access tokens, exposing potentially confidential user data or service permissions.

Affected Systems

The affected product is Red Hat Build of Keycloak. No specific version range is disclosed, so all installations of this product should be examined for a fix once it becomes available.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score is not available, so there is no current estimate of exploitation likelihood. The vulnerability is not listed in CISA KEV. Based on the description, it is inferred that the attack vector is remote, with the attacker needing valid confidential client credentials within the realm to trigger the exploit.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor	Product	Default status	Versions
Red Hat	Red Hat Build of Keycloak	affected	—

No data.

No data available yet.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

Contact Red Hat to obtain the official patch or update once it becomes available
Configure the Keycloak server to restrict confidential clients from accessing the introspection endpoint or enforce strict audience validation
Monitor introspection endpoint usage logs for anomalous activity and review client permissions for excessive privileges

Generated by OpenCVE AI on May 19, 2026 at 12:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00031.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2026-37979
https://bugzilla.redhat.com/show_bug.cgi?id=2455328
https://nvd.nist.gov/vuln/detail/CVE-2026-37979
https://www.cve.org/CVERecord?id=CVE-2026-37979

History

Tue, 19 May 2026 12:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-200 CWE-284

Tue, 19 May 2026 12:15:00 +0000

Type	Values Removed	Values Added
References		https://nvd.nist.gov/vuln/detail/CVE-2026-37979 https://www.cve.org/CVERecord?id=CVE-2026-37979
Metrics	threat_severity `None`	threat_severity `Moderate`

Tue, 19 May 2026 11:30:00 +0000

Type	Values Removed	Values Added
Description		A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other resource servers, compromising the confidentiality of lightweight access tokens. This issue can be exploited remotely by any confidential client in the realm with valid credentials.
Title		Keycloak: keycloak: information disclosure via oidc token introspection endpoint audience bypass
First Time appeared		Redhat Redhat build Keycloak
CPEs		cpe:/a:redhat:build_keycloak:
Vendors & Products		Redhat Redhat build Keycloak
References		https://access.redhat.com/security/cve/CVE-2026-37979 https://bugzilla.redhat.com/show_bug.cgi?id=2455328
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Redhat Build Keycloak

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2026-05-19T10:52:30.442Z

Updated: 2026-05-19T10:52:30.442Z

Reserved: 2026-04-06T07:48:39.722Z

Link: CVE-2026-37979

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-19T12:16:18.330

Modified: 2026-05-19T12:16:18.330

Link: CVE-2026-37979

Redhat

Severity : Moderate

Publid Date: 2026-05-19T00:00:00Z

Links: CVE-2026-37979 - Bugzilla

OpenCVE Enrichment

Updated: 2026-05-19T12:30:05Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object