CVE-2026-7571
Keycloak OIDC Implicit Flow Bypass Vulnerability
Publication date: 2026-05-19
Last updated on: 2026-05-20
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | keycloak | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-472 | The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Keycloak and allows a low-privilege user who knows user credentials and a client ID to bypass a security control that is meant to disable the implicit flow in OpenID Connect (OIDC) clients.
By manipulating client data during a session restart, the attacker can obtain an access token that should normally be unavailable to them.
Additionally, this flaw can cause these access tokens to be exposed in server logs, proxy logs, and HTTP Referrer headers, which leads to sensitive information disclosure.
How can this vulnerability impact me? :
The vulnerability can allow an attacker with limited privileges to gain unauthorized access tokens, potentially granting them access to protected resources or user data.
Furthermore, the exposure of access tokens in logs and HTTP headers increases the risk of sensitive information leakage, which can be exploited for further attacks or unauthorized access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability in Keycloak allows a low-privilege user to bypass security controls and obtain access tokens that should not be available. The exposure of these access tokens in server logs, proxy logs, and HTTP Referrer headers can lead to sensitive information disclosure.
Such unauthorized disclosure of sensitive authentication tokens could potentially lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.
However, the provided information does not explicitly detail the direct impact on compliance with these standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unusual access tokens that should not be available due to the implicit flow being disabled. Additionally, inspecting server logs, proxy logs, and HTTP Referrer headers for unexpected access token disclosures can help identify exploitation attempts.
Specific commands are not provided in the available resources, but general approaches include searching logs for access tokens or suspicious client data manipulations during session restarts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include reviewing and updating Keycloak configurations to ensure that the implicit flow is properly disabled and cannot be bypassed by low-privilege users. Additionally, auditing and sanitizing logs to prevent sensitive access token exposure is recommended.
Applying any available patches or updates from the vendor addressing this vulnerability is critical.