Medium severity5.4NVD Advisory· Published Apr 30, 2026· Updated May 5, 2026
CVE-2026-7500
CVE-2026-7500
Description
When Keycloak is started with --features-disabled=account,account-api, the Account REST API is only partially disabled. Five endpoints under the versioned path /account/v1alpha1 remain fully functional — including both read and write operations — because they lack the checkAccountApiEnabled() gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-servicesMaven | <= 26.6.1 | — |
Affected products
1- cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:-:*:*:*
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- access.redhat.com/security/cve/CVE-2026-7500nvdVendor AdvisoryWEB
- github.com/advisories/GHSA-hm32-hfmw-rhvgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-7500ghsaADVISORY
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingWEB
- github.com/keycloak/keycloak/issues/48709ghsaWEB
- github.com/keycloak/keycloak/pull/48715ghsaWEB
News mentions
0No linked articles in our index yet.