Privilege Escalation: Keycloak Account REST API Partially Disabled
CVE-2026-7500 Published on April 30, 2026
Org.keycloak.keycloak-services: improper access control on keycloak server when the account account api feature is disabled
When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional including both read and write operations because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.
Vulnerability Analysis
CVE-2026-7500 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Timeline
Reported to Red Hat.
Made public.
Weakness Type
What is a forced browsing Vulnerability?
The web application does not adequately enforce appropriate authorization on all restricted URLs, scripts, or files. Web applications susceptible to direct request attacks often make the false assumption that such resources can only be reached through a given navigation path and so only apply authorization at certain points in the path.
CVE-2026-7500 has been classified to as a forced browsing vulnerability or weakness.
Products Associated with CVE-2026-7500
Want to know whenever a new CVE is published for Red Hat Build Keycloak? stack.watch will email you.
