Executive Summary

CVE-2026-7500 is an improper access control vulnerability in the Keycloak server that occurs when the account and account-api features are disabled using the `--features-disabled=account,account-api` flag.

Despite disabling these features, five endpoints under the `/account/v1alpha1` path remain fully functional, allowing both read and write operations.

This happens because these endpoints lack the `checkAccountApiEnabled()` security gate that correctly blocks other endpoints in the same REST service class.

An attacker with the necessary permissions could exploit these exposed endpoints to perform unauthorized actions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker who has the required permissions to access and perform both read and write operations on five exposed endpoints under the `/account/v1alpha1` path, even when the account and account-api features are supposed to be disabled.

As a result, unauthorized actions could be performed through these endpoints, potentially leading to data exposure or modification within the affected Keycloak server.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, avoid starting Keycloak with the `--features-disabled=account,account-api` flag, as this partial disabling leaves five endpoints under `/account/v1alpha1` fully functional and vulnerable.

Ensure that the `checkAccountApiEnabled()` gate is properly applied to all Account REST API endpoints to block unauthorized access.

Verify user permissions carefully since exploitation requires the user to have permissions to use the API.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves five endpoints under the `/account/v1alpha1` path in Keycloak that remain fully functional even when the Account API feature is disabled. Detection involves checking if these endpoints are accessible and functional despite the `--features-disabled=account,account-api` flag being set.

To detect this on your system or network, you can attempt to access or interact with the following endpoints under `/account/v1alpha1` to verify if they respond and allow read or write operations.

Suggested commands using curl to test these endpoints (replace <keycloak-server> and add authentication as needed):

• curl -i -X GET https://<keycloak-server>/account/v1alpha1/<endpoint>
• curl -i -X POST https://<keycloak-server>/account/v1alpha1/<endpoint> -d '{"data":"value"}' -H 'Content-Type: application/json'

If these requests succeed and return data or allow modifications, it indicates the vulnerability is present because these endpoints should be disabled when the feature flag is set.

Note that the user must have permissions to use the API for these tests to be meaningful.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in Keycloak allows certain account-related API endpoints to remain accessible even when the account API feature is disabled, potentially enabling unauthorized read and write operations by users with permissions. This improper access control could lead to unauthorized access or modification of user account data.

Such unauthorized access or modification of personal or sensitive data may impact compliance with data protection regulations and standards like GDPR and HIPAA, which require strict controls over access to personal and health-related information to ensure confidentiality and integrity.

Therefore, exploitation of this vulnerability could result in violations of these regulations due to insufficient access controls and potential data exposure or alteration.

Useful 0 Not Useful 0