CVE-2026-7571 HIGH

CVE-2026-7571: Keycloak: keycloak: access token disclosure and implicit flow bypass via forged client data

Vendor Red Hat
Product Red Hat build of Keycloak 26.4.12
Weakness CWE-472
Published May 19, 2026
Last update May 20, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session restart, an attacker can obtain an access token that should not be available. This vulnerability can also lead to the exposure of these access tokens in server logs, proxy logs, and HTTP Referrer headers, resulting in sensitive information disclosure.

Key dates

02Disclosure timeline

May 19, 2026 CVE published
May 20, 2026 Record updated