VIR Vulnerability Intelligence Relay

CVE-2026-7507

high
Published 2026-05-19 · Modified 2026-06-03
💬 Discuss on Community ✚ Propose mitigation
CVSS v3
7.5
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS v4 NEW
not yet in upstream
VIR risk
7.5

Description

A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint—which processes session handles without adequate CSRF protection or cookie ownership validation—an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim's credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts.

Predictions

Exploit likelihood
83%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Red Hat Errata — Red Hat Inc. · View original ↗ · Open-Errata-API

Description org.keycloak/keycloak-services: Session fixation in OIDC login flow that can lead to account takeover Red Hat statement This is a Critical session fixation vulnerability in Keycloak's login-actions endpoints. An unauthenticated attacker can pre-create an authentication session and, by exploiting a lack of CSRF token or cookie ownership checks on the `/login-actions/restart` endpoint,…

Description

org.keycloak/keycloak-services: Session fixation in OIDC login flow that can lead to account takeover

Red Hat statement

This is a Critical session fixation vulnerability in Keycloak's login-actions endpoints. An unauthenticated attacker can pre-create an authentication session and, by exploiting a lack of CSRF token or cookie ownership checks on the `/login-actions/restart` endpoint, reset the flow state to achieve silent Single Sign-On (SSO). This allows for full takeover of the master-realm admin account in default Keycloak deployments.

CVSS v3: 7.5 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H)

Errata / fixed releases

ProductPackageAdvisoryReleased
Red Hat build of Keycloak 26.2rhbk/keycloak-operator-bundle:26.2.16-1RHSA-2026:195952026-05-20T00:00:00Z
Red Hat build of Keycloak 26.2rhbk/keycloak-rhel9:26.2-21RHSA-2026:195952026-05-20T00:00:00Z
Red Hat build of Keycloak 26.2rhbk/keycloak-rhel9-operator:26.2-21RHSA-2026:195952026-05-20T00:00:00Z
Red Hat build of Keycloak 26.2.16rhbk/keycloak-rhel9-operatorRHSA-2026:195942026-05-20T00:00:00Z
Red Hat build of Keycloak 26.4rhbk/keycloak-operator-bundle:26.4.12-1RHSA-2026:195972026-05-20T00:00:00Z
Red Hat build of Keycloak 26.4rhbk/keycloak-rhel9:26.4-17RHSA-2026:195972026-05-20T00:00:00Z
Red Hat build of Keycloak 26.4rhbk/keycloak-rhel9-operator:26.4-17RHSA-2026:195972026-05-20T00:00:00Z
Red Hat build of Keycloak 26.4.12rhbk/keycloak-rhel9-operatorRHSA-2026:195962026-05-20T00:00:00Z

Apply commands

bash fix
Apply RHSA-2026:19595 for Red Hat build of Keycloak 26.2
yum update -y rhbk/keycloak-operator-bundle:26
# or:
dnf upgrade -y rhbk/keycloak-operator-bundle:26

Application impact
VendorProductVersionsFixed
redhat redhatbuild_of_keycloak{"startIncluding":"26.4","endExcluding":"26.4.12"}26.4.12

References

CWEs

CWE-290

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.