CVE-2026-37979
Analyzed Analyzed - Analysis Complete
Keycloak OpenID Connect Token Introspection Access Control Flaw

Publication date: 2026-05-19

Last updated on: 2026-06-03

Assigner: Red Hat, Inc.

Description
A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other resource servers, compromising the confidentiality of lightweight access tokens. This issue can be exploited remotely by any confidential client in the realm with valid credentials.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-06-03
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-37979
EUVD
EUVD-2026-30887
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat build_of_keycloak From 26.4 (inc) to 26.4.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an access control flaw in Keycloak's OpenID Connect (OIDC) token introspection endpoint. It allows a confidential client with valid credentials to bypass audience restrictions, meaning the client can access sensitive token claims that are meant for other resource servers. Essentially, an attacker-controlled client can retrieve confidential information from lightweight access tokens that it should not have access to.

Impact Analysis

The impact of this vulnerability is the compromise of confidentiality for sensitive token claims. An attacker who controls a confidential client with valid credentials can remotely exploit this flaw to access information intended for other resource servers. This could lead to unauthorized disclosure of sensitive data, potentially affecting the security of applications relying on Keycloak for authentication and authorization.

Compliance Impact

This vulnerability in Keycloak allows a confidential client to bypass audience restrictions on the OIDC token introspection endpoint, enabling unauthorized access to sensitive token claims intended for other resource servers. Such unauthorized disclosure of sensitive information can compromise the confidentiality of access tokens.

Because the vulnerability leads to potential exposure of sensitive data, it may impact compliance with data protection standards and regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information.

Organizations using affected versions of Keycloak should consider this risk in their compliance assessments and apply necessary mitigations or updates to maintain compliance.

Mitigation Strategies

To mitigate this vulnerability, you should update your Keycloak installation to the latest patched version provided by your vendor.

Although Resource 1 addresses a different CVE, it highlights the importance of applying vendor patches promptly to fix security issues in Keycloak.

Since the vulnerability allows confidential clients with valid credentials to bypass audience restrictions, restricting client credentials and monitoring access to the OIDC token introspection endpoint may also help reduce risk until a patch is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-37979. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart