CVE-2026-7500
MEDIUMDescription
When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.
Is your site exposed to CVE-2026-7500?
Run a free security scan — no signup, results in seconds.
CVSS v3.1 Score
EPSS — Exploit Prediction
EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.
Weakness Type (CWE)
Affected Products
| Vendor | Product |
|---|---|
| redhat | build_of_keycloak |
References
Advisories & Patches
Other References
Frequently Asked Questions
What is CVE-2026-7500? +
How severe is CVE-2026-7500? +
What products are affected by CVE-2026-7500? +
How do I check if I'm vulnerable to CVE-2026-7500? +
Related Vulnerabilities
The Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, exposes web-accessible file paths that are not protected by an authorization scheme. An unauthenticated …
Improper permission control vulnerability in the OXARI ServiceDesk application could allow an attacker using a guest access or an unprivileged …
Successful exploitation of this vulnerability could allow an attacker to gain unauthorized access to sensitive information.
In WODESYS WD-R608U router (also known as WDR122B V2.0 and WDR28) an unauthorised user can view configuration files by directly …
Authentication bypass in Fortra's GoAnywhere MFT prior to 7.4.1 allows an unauthorized user to create an admin user via the …
Lack of authentication in all versions of the fileserver component of Allegro AI’s ClearML platform allows a remote attacker to …