Description
A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other resource servers, compromising the confidentiality of lightweight access tokens. This issue can be exploited remotely by any confidential client in the realm with valid credentials.
Published: 2026-05-19
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability exists in Keycloak's OIDC token introspection endpoint, where a confidential client can bypass the audience restrictions. The flaw enables the retrieval of token claims that are intended for other resource servers, thereby leaking sensitive information. As a result, an attacker can compromise the confidentiality of lightweight access tokens, exposing potentially confidential user data or service permissions.

Affected Systems

The affected product is Red Hat Build of Keycloak. No specific version range is disclosed, so all installations of this product should be examined for a fix once it becomes available.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score is not available, so there is no current estimate of exploitation likelihood. The vulnerability is not listed in CISA KEV. Based on the description, it is inferred that the attack vector is remote, with the attacker needing valid confidential client credentials within the realm to trigger the exploit.

Generated by OpenCVE AI on May 19, 2026 at 12:23 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Contact Red Hat to obtain the official patch or update once it becomes available
  • Configure the Keycloak server to restrict confidential clients from accessing the introspection endpoint or enforce strict audience validation
  • Monitor introspection endpoint usage logs for anomalous activity and review client permissions for excessive privileges

Generated by OpenCVE AI on May 19, 2026 at 12:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4x37-hw65-52w8 Keycloak: Information disclosure via OIDC token introspection endpoint audience bypass
History

Wed, 03 Jun 2026 20:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*:*

Wed, 20 May 2026 16:45:00 +0000

Type Values Removed Values Added
References

Wed, 20 May 2026 12:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.4::el9
References

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Vendors & Products Redhat build Of Keycloak

Tue, 19 May 2026 12:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-200
CWE-284

Tue, 19 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 19 May 2026 11:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other resource servers, compromising the confidentiality of lightweight access tokens. This issue can be exploited remotely by any confidential client in the realm with valid credentials.
Title Keycloak: keycloak: information disclosure via oidc token introspection endpoint audience bypass
First Time appeared Redhat
Redhat build Keycloak
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-20T16:08:52.747Z

Reserved: 2026-04-06T07:48:39.722Z

Link: CVE-2026-37979

cve-icon Vulnrichment

Updated: 2026-05-19T13:40:04.125Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T12:16:18.330

Modified: 2026-06-03T19:50:44.920

Link: CVE-2026-37979

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-19T00:00:00Z

Links: CVE-2026-37979 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T14:30:06Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-284

    Improper Access Control