MEDIUM 5.4
GHSA-hm32-hfmw-rhvg
Keycloak has a Forced Browsing issue
Details
When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.
Are you affected?
Enter the version of the package you're using.
Affected packages
Maven / org.keycloak:keycloak-services
Introduced in:
0 No fixed version published yet for org.keycloak:keycloak-services (maven). Pin to a known-safe version or switch to an alternative.
References
- https://nvd.nist.gov/vuln/detail/CVE-2026-7500 [ADVISORY]
- https://github.com/keycloak/keycloak/issues/48709 [WEB]
- https://github.com/keycloak/keycloak/pull/48715 [WEB]
- https://access.redhat.com/errata/RHSA-2026:25098 [WEB]
- https://access.redhat.com/security/cve/CVE-2026-7500 [WEB]
- https://bugzilla.redhat.com/show_bug.cgi?id=2464126 [WEB]
- https://github.com/keycloak/keycloak [PACKAGE]