VYPR
Medium severity5.4NVD Advisory· Published Apr 30, 2026· Updated Jun 10, 2026

CVE-2026-7500

CVE-2026-7500

Description

When Keycloak is started with --features-disabled=account,account-api, the Account REST API is only partially disabled. Five endpoints under the versioned path /account/v1alpha1 remain fully functional — including both read and write operations — because they lack the checkAccountApiEnabled() gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.keycloak:keycloak-servicesMaven
<= 26.6.1

Affected products

8

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.