Account REST API Vulnerability in Keycloak by Red Hat
CVE-2026-7500

5.4MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Keycloak
Vendor: CVE Published:; 30 April 2026

What is CVE-2026-7500?

A security issue in the Keycloak platform allows certain endpoints of the Account REST API to remain active even when the API features are disabled. Specifically, when launched with the --features-disabled=account,account-api option, five endpoints under /account/v1alpha1 are still fully operational, lacking proper functionality restrictions. This oversight can potentially allow unauthorized access, making correct permission management critical for users operating within affected versions.

References

https://access.redhat.com/security/cve/CVE-2026-7500

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2464126

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 30, 2026
Vulnerability Reserved
Apr 30, 2026

Credit

Red Hat would like to thank Evan Hendra for reporting this issue.

CVE-2026-7500 Data

JSON