Access Control Flaw in Keycloak's OpenID Connect Token Introspection Endpoint
CVE-2026-37979

6.5MEDIUM

Key Information:

Vendor

Red Hat
Status
Red Hat Build Of Keycloak 26.4
Red Hat Build Of Keycloak 26.4.12
Vendor
CVE Published:
19 May 2026

What is CVE-2026-37979?

An access control flaw in Keycloak's OpenID Connect token introspection endpoint enables a confidential client to bypass audience restrictions. This vulnerability allows an attacker-controlled client with valid credentials to access sensitive token claims meant for other resource servers, thus jeopardizing the confidentiality of lightweight access tokens. The issue can be exploited remotely, posing a significant risk within the realm of authorized clients.

Affected Version(s)

Red Hat build of Keycloak 26.4 26.4.12-1

Red Hat build of Keycloak 26.4 26.4-17

Red Hat build of Keycloak 26.4 26.4-17

References

https://access.redhat.com/errata/RHSA-2026:19596
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:19597
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-37979
vdb-entryx_refsource_REDHAT

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Stian Thorgersen for reporting this issue.
.