← Voltar para CVEs
CVE-2026-7500
MEDIUM5.4
Descricao
When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.
Detalhes CVE
Pontuacao CVSS v3.15.4
SeveridadeMEDIUM
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosLOW
Interacao do usuarioNONE
Publicado4/30/2026
Ultima modificacao4/30/2026
Fontenvd
Avistamentos honeypot0
Fraquezas (CWE)
CWE-425
Referencias
https://access.redhat.com/security/cve/CVE-2026-7500(secalert@redhat.com)
https://bugzilla.redhat.com/show_bug.cgi?id=2464126(secalert@redhat.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.