{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-7500", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-04-30T14:32:50.005Z", "datePublished": "2026-04-30T14:53:09.192Z", "dateUpdated": "2026-04-30T15:10:45.325Z"}, "containers": {"cna": {"title": "Org.keycloak.keycloak-services: improper access control on keycloak server when the account account api feature is disabled", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional \u2014 including both read and write operations \u2014 because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:build_keycloak:"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-7500", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464126", "name": "RHBZ#2464126", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-04-30T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-425", "description": "Direct Request ('Forced Browsing')", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-425: Direct Request ('Forced Browsing')", "workarounds": [{"lang": "en", "value": "To reduce the attack surface, restrict network access to the Keycloak server's administration and API endpoints to trusted networks or hosts. This limits the ability of unauthorized users to interact with the server and potentially exploit this improper access control vulnerability. If the Keycloak service is reloaded or restarted, ensure that firewall rules or network access controls remain in effect."}], "timeline": [{"lang": "en", "time": "2026-04-30T14:31:57.661Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-30T00:00:00.000Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Evan Hendra for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-30T14:53:09.192Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-30T15:02:40.969966Z", "id": "CVE-2026-7500", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-30T15:10:45.325Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-7500", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-30T15:02:40.969966Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-30T15:06:53.790Z"}}], "cna": {"title": "Org.keycloak.keycloak-services: improper access control on keycloak server when the account account api feature is disabled", "credits": [{"lang": "en", "value": "Red Hat would like to thank Evan Hendra for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"cpes": ["cpe:/a:redhat:build_keycloak:"], "vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "packageName": "rhbk/keycloak-rhel9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2026-04-30T14:31:57.661Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-30T00:00:00.000Z", "value": "Made public."}], "datePublic": "2026-04-30T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-7500", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464126", "name": "RHBZ#2464126", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "To reduce the attack surface, restrict network access to the Keycloak server's administration and API endpoints to trusted networks or hosts. This limits the ability of unauthorized users to interact with the server and potentially exploit this improper access control vulnerability. If the Keycloak service is reloaded or restarted, ensure that firewall rules or network access controls remain in effect."}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional \u2014 including both read and write operations \u2014 because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-425", "description": "Direct Request ('Forced Browsing')"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-30T14:53:09.192Z"}, "x_redhatCweChain": "CWE-425: Direct Request ('Forced Browsing')"}}, "cveMetadata": {"cveId": "CVE-2026-7500", "state": "PUBLISHED", "dateUpdated": "2026-04-30T15:10:45.325Z", "dateReserved": "2026-04-30T14:32:50.005Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-04-30T14:53:09.192Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:-:*:*:*", "matchCriteriaId": "E5C930CB-4EAD-497B-A44B-D880F2A1F85B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional \u2014 including both read and write operations \u2014 because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API."}], "id": "CVE-2026-7500", "lastModified": "2026-05-05T03:00:08.177", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "secalert@redhat.com", "type": "Primary"}]}, "published": "2026-04-30T15:16:23.673", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2026-7500"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464126"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-425"}], "source": "secalert@redhat.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Evan Hendra for reporting this issue.", "bugzilla": {"description": "org.keycloak.keycloak-services: Improper Access Control on Keycloak Server when the account Account API feature is disabled", "id": "2464126", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464126"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-425", "details": ["When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional \u2014 including both read and write operations \u2014 because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API."], "mitigation": {"lang": "en:us", "value": "To reduce the attack surface, restrict network access to the Keycloak server's administration and API endpoints to trusted networks or hosts. This limits the ability of unauthorized users to interact with the server and potentially exploit this improper access control vulnerability. If the Keycloak service is reloaded or restarted, ensure that firewall rules or network access controls remain in effect."}, "name": "CVE-2026-7500", "package_state": [{"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "rhbk/keycloak-rhel9", "product_name": "Red Hat Build of Keycloak"}], "public_date": "2026-04-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-7500\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-7500"], "statement": "This Moderate impact flaw in Keycloak allows authenticated users to bypass the intended disablement of the account and account-api features when Keycloak is started with `--features-disabled=account,account-api`. This bypass enables unauthorized read and write operations on specific account endpoints, despite the configuration aiming to restrict such access.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 98.0, "source": "matching"}]}, "original": {"product": "Red Hat Build of Keycloak", "source": "cna", "vendor": "Red Hat"}, "product": "build_of_keycloak", "vendor": "redhat"}], "created": "2026-04-30T16:30:15.889906+00:00", "updated": "2026-05-05T04:30:15.740538+00:00", "vendors": ["redhat", "redhat$PRODUCT$build_of_keycloak"]}