CVE-2026-7507
Session Fixation in Keycloak Authentication Flow
Publication date: 2026-05-19
Last updated on: 2026-05-20
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jboss | keycloak | to 2464145 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The impact of this vulnerability can be severe. A successful exploit can lead to complete account takeover, including highly privileged administrative accounts such as the master-realm admin. This means an attacker could gain full control over the affected Keycloak deployment, potentially compromising all user accounts and sensitive data managed by the system.
Can you explain this vulnerability to me?
This vulnerability is a session fixation flaw found in Keycloak's login-actions endpoints. An attacker who is not authenticated can create an authentication session in advance and then trick a victim into clicking a specially crafted link. The vulnerability exists because the /login-actions/restart endpoint processes session handles without proper CSRF protection or verifying cookie ownership. This allows the attacker to reset the authentication flow state, causing Single Sign-On (SSO) to authenticate the victim silently when they click the link. As a result, the attacker can hijack the required-action form without needing the victim's credentials.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to completely take over user accounts, including highly privileged administrative accounts, without needing the victim's credentials.
Such unauthorized access and account takeover can lead to breaches of sensitive personal data and administrative controls, which may violate data protection regulations like GDPR and HIPAA that require strict access controls and protection of personal information.
Therefore, exploitation of this vulnerability could result in non-compliance with these common standards and regulations due to potential unauthorized data access and compromise of system integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for suspicious requests to the /login-actions/restart endpoint, especially those lacking CSRF tokens or originating from unauthenticated sources.
Network administrators can inspect HTTP logs or use tools like curl or wget to test the endpoint behavior by sending crafted requests without valid session cookies or CSRF tokens to see if the authentication flow state can be reset.
- Example command to test the endpoint: curl -v -X POST 'https://<keycloak-server>/login-actions/restart' -d 'session=<session_handle>' without valid CSRF token or cookie.
- Monitor web server logs for unusual POST requests to /login-actions/restart that do not include CSRF tokens or originate from unexpected IP addresses.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying any available patches or updates from the Keycloak maintainers that address this session fixation vulnerability.
If patches are not immediately available, restrict access to the /login-actions/restart endpoint by implementing additional CSRF protections and validating cookie ownership to prevent unauthorized session resets.
Additionally, monitor and audit authentication flows for suspicious activity and consider temporarily disabling or restricting Single Sign-On (SSO) features until the vulnerability is resolved.