CVE-2026-7571
Analyzed Analyzed - Analysis Complete
Keycloak OIDC Implicit Flow Bypass Vulnerability

Publication date: 2026-05-19

Last updated on: 2026-06-03

Assigner: Red Hat, Inc.

Description
A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session restart, an attacker can obtain an access token that should not be available. This vulnerability can also lead to the exposure of these access tokens in server logs, proxy logs, and HTTP Referrer headers, resulting in sensitive information disclosure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-19
Last Modified
2026-06-03
Generated
2026-06-10
AI Q&A
2026-05-19
EPSS Evaluated
2026-06-08
NVD
CVE-2026-7571
EUVD
EUVD-2026-30888
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat build_of_keycloak From 26.4 (inc) to 26.4.12 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-472 The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

Detection of this vulnerability involves monitoring for unusual access tokens that should not be available due to the implicit flow being disabled. Additionally, inspecting server logs, proxy logs, and HTTP Referrer headers for unexpected access token disclosures can help identify exploitation attempts.

Specific commands are not provided in the available resources, but general approaches include searching logs for access tokens or suspicious client data manipulations during session restarts.

Executive Summary

This vulnerability exists in Keycloak and allows a low-privilege user who knows user credentials and a client ID to bypass a security control that is meant to disable the implicit flow in OpenID Connect (OIDC) clients.

By manipulating client data during a session restart, the attacker can obtain an access token that should normally be unavailable to them.

Additionally, this flaw can cause these access tokens to be exposed in server logs, proxy logs, and HTTP Referrer headers, which leads to sensitive information disclosure.

Impact Analysis

The vulnerability can allow an attacker with limited privileges to gain unauthorized access tokens, potentially granting them access to protected resources or user data.

Furthermore, the exposure of access tokens in logs and HTTP headers increases the risk of sensitive information leakage, which can be exploited for further attacks or unauthorized access.

Compliance Impact

This vulnerability in Keycloak allows a low-privilege user to bypass security controls and obtain access tokens that should not be available. The exposure of these access tokens in server logs, proxy logs, and HTTP Referrer headers can lead to sensitive information disclosure.

Such unauthorized disclosure of sensitive authentication tokens could potentially lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

However, the provided information does not explicitly detail the direct impact on compliance with these standards.

Mitigation Strategies

Immediate mitigation steps include reviewing and updating Keycloak configurations to ensure that the implicit flow is properly disabled and cannot be bypassed by low-privilege users. Additionally, auditing and sanitizing logs to prevent sensitive access token exposure is recommended.

Applying any available patches or updates from the vendor addressing this vulnerability is critical.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7571. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart