CVE-2026-7507
Description
A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint—which processes session handles without adequate CSRF protection or cookie ownership validation—an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim's credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-servicesMaven | < 26.6.2 | 26.6.2 |
Affected products
2Patches
Vulnerability mechanics
References
11- access.redhat.com/errata/RHSA-2026:19594nvdVendor AdvisoryWEB
- access.redhat.com/errata/RHSA-2026:19595nvdVendor AdvisoryWEB
- access.redhat.com/errata/RHSA-2026:19596nvdVendor AdvisoryWEB
- access.redhat.com/errata/RHSA-2026:19597nvdVendor AdvisoryWEB
- access.redhat.com/security/cve/CVE-2026-7507nvdVendor AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdVendor AdvisoryWEB
- github.com/advisories/GHSA-hf67-5vvq-fm3rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-7507ghsaADVISORY
- github.com/keycloak/keycloak/commit/d791b270b9ea5203be40a9533c1c12c4d044fb52ghsaWEB
- github.com/keycloak/keycloak/pull/49134ghsaWEB
- github.com/keycloak/keycloak/releases/tag/26.6.2ghsaWEB
News mentions
0No linked articles in our index yet.