CVE-2026-7507

Vulnerability

A session fixation vulnerability exists in Keycloak's login-actions endpoints, specifically the /login-actions/restart endpoint, which processes session handles without adequate CSRF protection or cookie ownership validation [1]. An unauthenticated attacker can pre-create an authentication session and craft a malicious link. Affected versions include Keycloak before 26.4.12 and 26.2.16 [2][3][4].

Exploitation

The attacker needs no authentication; they can pre-create an authentication session and trick a victim into clicking a maliciously crafted link that invokes the /login-actions/restart endpoint. The endpoint resets the authentication flow state without verifying that the session handle belongs to the victim. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim's credentials [1].

Impact

Successful exploitation leads to complete account takeover, including highly privileged administrative accounts. The attacker gains the ability to impersonate the victim and perform actions as that user, potentially compromising the entire Keycloak deployment [1].

Mitigation

Red Hat released fixed versions: Keycloak 26.4.12 (standalone and OpenShift images) and Keycloak 26.2.16 (OpenShift images) on 2026-05-20 [2][3][4]. Users should upgrade to these versions. No workarounds are mentioned in the references. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.