VYPR
← All advisories
High severity7.1NVD Advisory· Published May 19, 2026· Updated May 20, 2026

CVE-2026-7571

CVE-2026-7571

Description

A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session restart, an attacker can obtain an access token that should not be available. This vulnerability can also lead to the exposure of these access tokens in server logs, proxy logs, and HTTP Referrer headers, resulting in sensitive information disclosure.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A low-privilege user can bypass implicit flow restrictions in Keycloak OIDC clients to obtain unauthorized access tokens, leading to information disclosure.

Vulnerability

A flaw in Keycloak allows a low-privilege attacker with knowledge of user credentials and a client ID to bypass the security control that disables the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session restart, the attacker can obtain an access token that should not be available. This issue affects Keycloak versions prior to 26.4.12 [1][4].

Exploitation

An attacker must have low-privilege access (e.g., a regular user) and know the victim's credentials and the client ID. During a session restart, the attacker manipulates client data to re-enable the implicit flow, tricking the server into issuing an access token that should be blocked [1][4].

Impact

Successful exploitation leads to the disclosure of access tokens that should not be issued. These tokens can also be exposed in server logs, proxy logs, and HTTP Referrer headers, resulting in sensitive information disclosure [1][4].

Mitigation

The vulnerability is fixed in Red Hat build of Keycloak 26.4.12, released on 2026-05-20 [2][3]. Users should upgrade to version 26.4.12 or later. No workarounds are documented.

References
  1. cve-details
  2. https://access.redhat.com/errata/RHSA-2026:19597
  3. https://access.redhat.com/errata/RHSA-2026:19596
  4. Access token disclosure and implicit flow bypass via forged client data

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

4

News mentions

0

No linked articles in our index yet.