{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-7500","assignerOrgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","state":"PUBLISHED","assignerShortName":"redhat","dateReserved":"2026-04-30T14:32:50.005Z","datePublished":"2026-04-30T14:53:09.192Z","dateUpdated":"2026-04-30T15:10:45.325Z"},"containers":{"cna":{"title":"Org.keycloak.keycloak-services: improper access control on keycloak server when the account account api feature is disabled","metrics":[{"other":{"content":{"value":"Moderate","namespace":"https://access.redhat.com/security/updates/classification/"},"type":"Red Hat severity rating"}},{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":5.4,"baseSeverity":"MEDIUM","confidentialityImpact":"LOW","integrityImpact":"LOW","privilegesRequired":"LOW","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N","version":"3.1"},"format":"CVSS"}],"descriptions":[{"lang":"en","value":"When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API."}],"affected":[{"vendor":"Red Hat","product":"Red Hat Build of Keycloak","collectionURL":"https://access.redhat.com/downloads/content/package-browser/","packageName":"rhbk/keycloak-rhel9","defaultStatus":"affected","cpes":["cpe:/a:redhat:build_keycloak:"]}],"references":[{"url":"https://access.redhat.com/security/cve/CVE-2026-7500","tags":["vdb-entry","x_refsource_REDHAT"]},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2464126","name":"RHBZ#2464126","tags":["issue-tracking","x_refsource_REDHAT"]}],"datePublic":"2026-04-30T00:00:00.000Z","problemTypes":[{"descriptions":[{"cweId":"CWE-425","description":"Direct Request ('Forced Browsing')","lang":"en","type":"CWE"}]}],"x_redhatCweChain":"CWE-425: Direct Request ('Forced Browsing')","workarounds":[{"lang":"en","value":"To reduce the attack surface, restrict network access to the Keycloak server's administration and API endpoints to trusted networks or hosts. This limits the ability of unauthorized users to interact with the server and potentially exploit this improper access control vulnerability. If the Keycloak service is reloaded or restarted, ensure that firewall rules or network access controls remain in effect."}],"timeline":[{"lang":"en","time":"2026-04-30T14:31:57.661Z","value":"Reported to Red Hat."},{"lang":"en","time":"2026-04-30T00:00:00.000Z","value":"Made public."}],"credits":[{"lang":"en","value":"Red Hat would like to thank Evan Hendra for reporting this issue."}],"providerMetadata":{"orgId":"53f830b8-0a3f-465b-8143-3b8a9948e749","shortName":"redhat","dateUpdated":"2026-04-30T14:53:09.192Z"},"x_generator":{"engine":"cvelib 1.8.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-04-30T15:02:40.969966Z","id":"CVE-2026-7500","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-04-30T15:10:45.325Z"}}]}}