Close Menu
    Subscribe
    Alerts

    CVE-2026-7571 | THREATINT

    adminBy No Comments1 Min Read


    Home

    Description

    A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session restart, an attacker can obtain an access token that should not be available. This vulnerability can also lead to the exposure of these access tokens in server logs, proxy logs, and HTTP Referrer headers, resulting in sensitive information disclosure.

    PUBLISHED Reserved 2026-04-30 | Published 2026-05-19 | Updated 2026-05-19 | Assigner redhat

    HIGH: 7.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

    Problem types

    External Control of Assumed-Immutable Web Parameter

    Product status

    Default status
    affected

    Timeline

    2026-04-30: Reported to Red Hat.
    2026-05-19: Made public.

    Credits

    Red Hat would like to thank Evan Hendra for reporting this issue.

    References

    access.redhat.com/security/cve/CVE-2026-7571 vdb-entry

    bugzilla.redhat.com/show_bug.cgi?id=2464263 (RHBZ#2464263) issue-tracking

    cve.org (CVE-2026-7571)

    nvd.nist.gov (CVE-2026-7571)

    Download JSON



    Source link

    Share.

    Related Posts

    Add A Comment

    Comments are closed.