High severity7.1NVD Advisory· Published May 19, 2026· Updated Jun 3, 2026
CVE-2026-7571
CVE-2026-7571
Description
A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session restart, an attacker can obtain an access token that should not be available. This vulnerability can also lead to the exposure of these access tokens in server logs, proxy logs, and HTTP Referrer headers, resulting in sensitive information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-servicesMaven | < 26.6.2 | 26.6.2 |
Affected products
2Patches
Vulnerability mechanics
References
10- access.redhat.com/errata/RHSA-2026:19596nvdVendor AdvisoryWEB
- access.redhat.com/errata/RHSA-2026:19597nvdVendor AdvisoryWEB
- access.redhat.com/security/cve/CVE-2026-7571nvdVendor AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdVendor AdvisoryWEB
- github.com/advisories/GHSA-hq3p-w4xv-x7vpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-7571ghsaADVISORY
- github.com/keycloak/keycloak/commit/56bbfa3d8abccf39df787ae73e044a75aba1da13ghsaWEB
- github.com/keycloak/keycloak/issues/49110ghsaWEB
- github.com/keycloak/keycloak/pull/49120ghsaWEB
- github.com/keycloak/keycloak/releases/tag/26.6.2ghsaWEB
News mentions
0No linked articles in our index yet.