Session Fixation Vulnerability in Keycloak by Red Hat
CVE-2026-7507

7.5HIGH

Key Information:

Vendor

Red Hat
Status
Red Hat Build Of Keycloak 26.2
Red Hat Build Of Keycloak 26.2.16
Red Hat Build Of Keycloak 26.4
Red Hat Build Of Keycloak 26.4.12
Vendor
CVE Published:
19 May 2026

What is CVE-2026-7507?

A session fixation vulnerability exists in Keycloak's login-actions endpoints that allows an unauthenticated attacker to exploit the flaw by creating a malicious link to pre-authenticate a victim. By invoking the /login-actions/restart endpoint, which lacks proper CSRF protection and cookie validation, the attacker can reset the victim's authentication state. This enables the attacker to hijack the required-action form, granting access without needing the victim's credentials. As a result, this vulnerability poses a significant risk for complete account takeover, including access to high-privilege administrative accounts.

Affected Version(s)

Red Hat build of Keycloak 26.2 26.2.16-1

Red Hat build of Keycloak 26.2 26.2-21

Red Hat build of Keycloak 26.2 26.2-21

References

https://access.redhat.com/errata/RHSA-2026:19594
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:19595
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:19596
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.