CVE-2026-7507

Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
19/05/2026
Last modified:
15/07/2026

Description

A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint—which processes session handles without adequate CSRF protection or cookie ownership validation—an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim's credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:redhat:build_of_keycloak:*:*:*:*:*:*:*:* 26.4 (including) 26.4.12 (excluding)