VYPR
← All advisories
Medium severity6.5NVD Advisory· Published May 19, 2026· Updated May 20, 2026

CVE-2026-37979

CVE-2026-37979

Description

A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other resource servers, compromising the confidentiality of lightweight access tokens. This issue can be exploited remotely by any confidential client in the realm with valid credentials.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Keycloak's OIDC token introspection endpoint does not enforce audience restrictions, allowing confidential clients to retrieve claims intended for other resource servers.

Vulnerability

A flaw in Keycloak's OpenID Connect token introspection endpoint fails to verify that the requesting client is included in the token's aud claim before returning claims. This affects Keycloak versions prior to 26.4.12 [1][2]. The endpoint does not enforce that the introspecting client is among the intended audiences, allowing unauthorized retrieval of token claims.

Exploitation

An attacker-controlled confidential client with valid credentials can call the introspection endpoint for any access token, including tokens issued to a different resource server. The attacker can obtain or intercept such tokens and use the introspection endpoint to retrieve the full claim set [4]. No additional privileges beyond valid client credentials are required.

Impact

Successful exploitation leads to information disclosure of sensitive token claims that were intended only for the legitimate audience. This breaks the confidentiality model of lightweight access tokens, potentially exposing attributes meant to be omitted from the token itself [1][4].

Mitigation

The issue is fixed in Keycloak version 26.4.12, released on 2026-05-20 [2][3]. Users should update to this version or later. No workaround is mentioned; updating is the recommended action.

References
  1. cve-details
  2. https://access.redhat.com/errata/RHSA-2026:19597
  3. https://access.redhat.com/errata/RHSA-2026:19596
  4. Information disclosure via OIDC token introspection endpoint audience bypass

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.