CVE-2026-7571
7.1 HIGHA flaw was found in Keycloak
Published: 2026-05-19 · Last updated: 2026-06-03
Severity and scoring
- CVSS
- 7.1 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
- CWE
- CWE-472
Affected products
| Vendor | Product |
|---|---|
| redhat | build_of_keycloak |
Description
A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session restart, an attacker can obtain an access token that should not be available. This vulnerability can also lead to the exposure of these access tokens in server logs, proxy logs, and HTTP Referrer headers, resulting in sensitive information disclosure.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-7571
- [Vendor advisory]https://access.redhat.com/errata/RHSA-2026:19596
- [Vendor advisory]https://access.redhat.com/errata/RHSA-2026:19597
- [Vendor advisory]https://access.redhat.com/security/cve/CVE-2026-7571
- [Vendor advisory]https://bugzilla.redhat.com/show_bug.cgi?id=2464263
Related CVEs
Same vendor
- CVE-2026-1767 — A flaw was found in the GNOME localsearch (previously known as tracker-miners) MP3 Extractor `tracker-extract-mp3` component (5.6 MEDIUM)
- CVE-2026-1766 — A flaw was found in GNOME localsearch (previously known as tracker-miners) MP3 Extractor, specifically within the tracker-extract-mp3 com... (5.6 MEDIUM)
- CVE-2026-11793 — A stack buffer overflow flaw was found in 389 Directory Server (4.9 MEDIUM)
- CVE-2026-11790 — A flaw was found in 389 Directory Server (4.9 MEDIUM)
- CVE-2026-11789 — A flaw was found in 389 Directory Server (4.9 MEDIUM)
Same CWE
- CVE-2026-42655 — Unauthenticated Bypass Vulnerability in Best Payments Plugin for WP <= 4.6.19 versions (5.9 MEDIUM)
- CVE-2025-59382 — QTS, QuTS hero, QuTScloud are not affected
- CVE-2026-11678 — Integer overflow in libyuv in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to... (5.3 MEDIUM)
- CVE-2026-11669 — Out of bounds read in Media in Google Chrome on ChromeOS prior to 149.0.7827.103 allowed a remote attacker who had compromised the render... (5.3 MEDIUM)
- CVE-2026-11655 — Integer overflow in Media in Google Chrome on Mac prior to 149.0.7827.103 allowed a remote attacker who had compromised the renderer proc... (8.3 HIGH)