Zero Day MonitorZDM

← Back to list

5.4

CVE-2026-7500EXPLOITED

red hat · keycloak

Org.keycloak.keycloak-services: improper access control on keycloak server when the account account api feature is disabled

Description

When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.

Affected Products

Vendor	Product	Versions
red hat	keycloak	—

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
open source	open source keycloak	cert_advisory	90%

References

https://access.redhat.com/security/cve/CVE-2026-7500(vdb-entry, x_refsource_REDHAT)
https://bugzilla.redhat.com/show_bug.cgi?id=2464126(issue-tracking, x_refsource_REDHAT)

Related News (2 articles)

Tier B

BSI Advisories6h ago

[NEU] [UNGEPATCHT] [mittel] Keycloak: Schwachstelle ermöglicht Umgehen von Sicherheitsvorkehrungen

→ No new info (linked only)

Tier C

VulDB4d ago

CVE-2026-7500 | Keycloak Account REST API /account/v1alpha1 checkAccountApiEnabled direct request

→ No new info (linked only)

CVSS 3.15.4 NONE

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-425

PublishedApr 30, 2026

Last enriched3d agov2

Trending Score50

Source articles2

Independent2

Info Completeness7/14

Missing: versions, epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-6266EXP

Aap-controller: aap-gateway: account hijacking and unauthorized access via unverified email linking

NONECVE-2026-33846EXP

Gnutls: gnutls: denial of service via heap buffer overflow in dtls handshake fragment reassembly

Multiple Denial of Service Vulnerabilities in Red Hat OpenShift Container Platform

NONECVE-2026-2625

Rust-rpm-sequoia: rust-rpm-sequoia: denial of service via crafted rpm file during signature verification

NONECVE-2026-33845

Gnutls: gnutls: denial of service via dtls zero-length fragment

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 30, 2026

Discovered by ZDM

Apr 30, 2026

Updated: description, activelyExploited

Apr 30, 2026

Actively Exploited

Apr 30, 2026

Version History

v2

Last enriched 3d ago

v2Tier C3d ago

Updated description with new technical details, marked exploit availability as false, and noted that the vulnerability is actively exploited.

descriptionactivelyExploited

via VulDB

v14d ago

Initial creation