HIGH🇬🇧 English

CVE-2026-7571

CVSS 7.1v3.1pub. 2026-05-19upd. 2026-06-03

A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session restart, an attacker can obtain an access token that should not be available. This vulnerability can also lead to the exposure of these access tokens in server logs, proxy logs, and HTTP Referrer headers, resulting in sensitive information disclosure.

oryginał EN
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
  • Red Hat Build Of Keycloak

    APP
    Redhat
    26.4 – 26.4.12 (bez)
🔵
ZWERYFIKUJ U PRODUCENTA
Brak jednoznacznych danych o patchu. Sprawdź referencje od producenta.
CWE
Referencje

Powiązane podatności

CVE-2026-9099HIGH7.7ten sam produkt

A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within th...

CVE-2026-9800HIGH8.1ten sam produkt

A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all a...

CVE-2026-11800HIGH8.1ten sam produkt

A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow a...

CVE-2026-9086HIGH7.3ten sam produkt

A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manag...

CVE-2026-9795HIGH7.3ten sam produkt

A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited ...

CVE-2026-7571 — HIGH 7.1 | CVEbaza.pl