Description
A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session restart, an attacker can obtain an access token that should not be available. This vulnerability can also lead to the exposure of these access tokens in server logs, proxy logs, and HTTP Referrer headers, resulting in sensitive information disclosure.
Published: 2026-05-19
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Keycloak contains a flaw that allows a low‑privilege user, who knows a user’s credentials and a client ID, to bypass the control that disables implicit flow in OIDC clients. By manipulating client data during a session restart, an attacker can obtain an access token that should not be issued and can be exposed through server logs, proxy logs, or HTTP Referrer headers, resulting in sensitive information disclosure. The weakness is a client‑side data validation flaw (CWE-472).

Affected Systems

The affected product is Red Hat Build of Keycloak. Version information is not explicitly provided in the advisory, so any deployment of this build may be vulnerable until a patch is released or mitigations are applied.

Risk and Exploitability

The CVSS score of 7.1 indicates a high risk, but there is no EPSS data and the vulnerability is not in the CISA KEV catalog. The likely attack vector requires an attacker to control a legitimate user account and know a client ID; it involves manipulating client data when restarting a session. Without mitigation, the attacker can gain unauthorized access tokens and expose them in logs, creating a risk of credential compromise and data leakage.

Generated by OpenCVE AI on May 19, 2026 at 12:21 UTC.

Remediation

Vendor Workaround

To mitigate this issue, restrict network access to the Keycloak authentication endpoint to trusted clients and networks. Implement firewall rules to control inbound connections to the Keycloak service ports, thereby reducing the attack surface and limiting who can initiate authentication flows and potentially exploit the implicit flow bypass. If the Keycloak service is reloaded or restarted, ensure these network restrictions remain in effect.

OpenCVE Recommended Actions

  • Restrict network access to the Keycloak authentication endpoint by configuring firewall rules that allow only trusted clients and networks; avoid exposing the service to the public internet.
  • Persist the restriction across restarts by adding firewall rules to startup scripts or using a managed firewall service that re‑applies the rules automatically.
  • When Red Hat releases a patch that fixes the client data validation flaw, upgrade Keycloak to the updated version and restart the service.

Generated by OpenCVE AI on May 19, 2026 at 12:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 19 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 19 May 2026 11:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session restart, an attacker can obtain an access token that should not be available. This vulnerability can also lead to the exposure of these access tokens in server logs, proxy logs, and HTTP Referrer headers, resulting in sensitive information disclosure.
Title Keycloak: keycloak: access token disclosure and implicit flow bypass via forged client data
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-472
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Redhat Build Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-19T12:00:14.931Z

Reserved: 2026-04-30T22:21:27.850Z

Link: CVE-2026-7571

cve-icon Vulnrichment

Updated: 2026-05-19T11:58:48.969Z

cve-icon NVD

Status : Received

Published: 2026-05-19T12:16:19.820

Modified: 2026-05-19T12:16:19.820

Link: CVE-2026-7571

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-19T10:50:49Z

Links: CVE-2026-7571 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T13:30:05Z

Weaknesses