Description
A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint—which processes session handles without adequate CSRF protection or cookie ownership validation—an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim's credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts.
Published: 2026-05-19
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A session fixation flaw was discovered in the login‑actions endpoints of Keycloak. The vulnerability allows an unauthenticated attacker to pre‑create an authentication session and trick a user into following a malicious link that calls the /login-actions/restart endpoint. Because this endpoint does not enforce proper CSRF checks or verify cookie ownership, it resets the state of the authentication flow and forces the target’s single sign‑on process to authenticate transparently when the link is clicked. The attacker can then hijack the required‑action form without ever needing the victim’s credentials. If successfully exploited, the attacker can gain full access to the victim’s account, including high‑privilege administrative accounts, resulting in loss of confidentiality, integrity and availability for the affected user.

Affected Systems

The affected vendor is Red Hat: Red Hat Build of Keycloak. No specific release or version information is provided in the advisory, so all Red Hat‑provided Keycloak deployments that contain the vulnerable login‑actions endpoints are potentially impacted.

Risk and Exploitability

The flaw carries a CVSS score of 7.5, indicating a high‑risk severity. EPSS data is not available, so the likelihood of exploitation cannot be quantified, though the absence of an existing KEV listing suggests no known widespread exploitation to date. The attack vector appears to be through the web authentication flow, requiring only a malicious link sent to a victim and no pre‑existing credentials. The resulting account takeover represents a critical breach, especially if privileged accounts are taken over.

Generated by OpenCVE AI on May 19, 2026 at 12:21 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

OpenCVE Recommended Actions

  • Apply the latest Red Hat update that addresses the session fixation issue in Keycloak.
  • Enforce strict CSRF protection on the /login-actions/restart endpoint, ensuring that only authenticated sessions can be restarted.
  • Segment the network so that Keycloak login endpoints are exposed only to trusted internal hosts and monitor for suspicious login‑action traffic to detect potential abuse.

Generated by OpenCVE AI on May 19, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 19 May 2026 11:30:00 +0000

Type Values Removed Values Added
Description A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint—which processes session handles without adequate CSRF protection or cookie ownership validation—an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim's credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts.
Title Org.keycloak/keycloak-services: session fixation in oidc login flow that can lead to account takeover
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-290
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Redhat Build Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-19T13:40:46.890Z

Reserved: 2026-04-30T14:58:15.177Z

Link: CVE-2026-7507

cve-icon Vulnrichment

Updated: 2026-05-19T13:40:43.278Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-19T12:16:19.687

Modified: 2026-05-19T14:25:40.320

Link: CVE-2026-7507

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-19T10:51:31Z

Links: CVE-2026-7507 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T12:30:05Z

Weaknesses