5.4
CVE-2026-7500
- EPSS 0.23%
- Veröffentlicht 30.04.2026 14:53:09
- Zuletzt bearbeitet 26.06.2026 08:16:25
- Quelle secalert@redhat.com
- CVE-Watchlists
- Unerledigt
Org.keycloak.keycloak-services: improper access control on keycloak server when the account account api feature is disabled
When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Redhat ≫ Build Of Keycloak Version- SwEdition-
VulnDex Vulnerability Enrichment
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.23% | 0.14 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| secalert@redhat.com | 5.4 | 2.8 | 2.5 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
|
CWE-425 Direct Request ('Forced Browsing')
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files.
https://access.redhat.com/security/cve/CVE-2026-7500
https://bugzilla.redhat.com/show_bug.cgi?id=2464126
https://access.redhat.com/errata/RHSA-2026:25098
https://access.redhat.com/errata/RHSA-2026:25097
https://access.redhat.com/errata/RHSA-2026:30049
https://access.redhat.com/errata/RHSA-2026:30050