Description
When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.
Published: 2026-04-30
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows the Keycloak account REST API to remain partially enabled even when the `--features-disabled=account,account-api` flag is used. Five endpoints under the `/account/v1alpha1` path bypass the required gate and therefore remain fully functional for any user who has API access permissions. This improper access control can enable a malicious actor with limited permissions to access or modify account information, potentially leading to unauthorized data exposure or account manipulation. The weakness is identified as CWE-425 – Improper Privilege Management.

Affected Systems

The affected product is Red Hat Build of Keycloak. All versions that can be started with the feature‑disable flag and still expose the `/account/v1alpha1` endpoints are vulnerable. No specific version numbers are specified in the advisory.

Risk and Exploitability

The CVSS vector scores the issue as 5.4, indicating moderate severity. The EPSS score is not available and it is not listed in the CISA KEV catalog, suggesting no current evidence of active exploitation. The likely attack vector is remote, requiring network connectivity to the Keycloak server’s administration and API endpoints. Successful exploitation would allow a user with any API access rights to interact with the exposed endpoints, thereby bypassing intentional disabling of the account API service.

Generated by OpenCVE AI on May 1, 2026 at 05:10 UTC.

Remediation

Vendor Workaround

To reduce the attack surface, restrict network access to the Keycloak server's administration and API endpoints to trusted networks or hosts. This limits the ability of unauthorized users to interact with the server and potentially exploit this improper access control vulnerability. If the Keycloak service is reloaded or restarted, ensure that firewall rules or network access controls remain in effect.

OpenCVE Recommended Actions

  • Restrict network access to the Keycloak server’s administration and API endpoints to trusted networks or hosts, thereby limiting the ability of unauthorized users to interact with the vulnerable endpoints.
  • After applying network restrictions or firewall rules, reload or restart the Keycloak service to ensure the new access controls remain in effect.
  • Monitor Red Hat’s security advisories for a vendor patch that fully disables the remaining endpoints, and upgrade the Keycloak installation as soon as a fix becomes available.

Generated by OpenCVE AI on May 1, 2026 at 05:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 30 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Vendors & Products Redhat build Of Keycloak

Thu, 30 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 30 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.
Title Org.keycloak.keycloak-services: improper access control on keycloak server when the account account api feature is disabled
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-425
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-30T15:10:45.325Z

Reserved: 2026-04-30T14:32:50.005Z

Link: CVE-2026-7500

cve-icon Vulnrichment

Updated: 2026-04-30T15:06:53.790Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-30T15:16:23.673

Modified: 2026-04-30T15:48:26.580

Link: CVE-2026-7500

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-30T00:00:00Z

Links: CVE-2026-7500 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T05:15:09Z

Weaknesses