CVE-2026-37979
Keycloak OpenID Connect Token Introspection Access Control Flaw
Publication date: 2026-05-19
Last updated on: 2026-05-20
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | keycloak | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an access control flaw in Keycloak's OpenID Connect (OIDC) token introspection endpoint. It allows a confidential client with valid credentials to bypass audience restrictions, meaning the client can access sensitive token claims that are meant for other resource servers. Essentially, an attacker-controlled client can retrieve confidential information from lightweight access tokens that it should not have access to.
How can this vulnerability impact me? :
The impact of this vulnerability is the compromise of confidentiality for sensitive token claims. An attacker who controls a confidential client with valid credentials can remotely exploit this flaw to access information intended for other resource servers. This could lead to unauthorized disclosure of sensitive data, potentially affecting the security of applications relying on Keycloak for authentication and authorization.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability in Keycloak allows a confidential client to bypass audience restrictions on the OIDC token introspection endpoint, enabling unauthorized access to sensitive token claims intended for other resource servers. Such unauthorized disclosure of sensitive information can compromise the confidentiality of access tokens.
Because the vulnerability leads to potential exposure of sensitive data, it may impact compliance with data protection standards and regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information.
Organizations using affected versions of Keycloak should consider this risk in their compliance assessments and apply necessary mitigations or updates to maintain compliance.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update your Keycloak installation to the latest patched version provided by your vendor.
Although Resource 1 addresses a different CVE, it highlights the importance of applying vendor patches promptly to fix security issues in Keycloak.
Since the vulnerability allows confidential clients with valid credentials to bypass audience restrictions, restricting client credentials and monitoring access to the OIDC token introspection endpoint may also help reduce risk until a patch is applied.