IDPTrust
IDPTrust Blog
blog.idptrust.com
Keycloak 26.6.2: 16 CVEs patched — several exploitable without authentication

Keycloak 26.6.2: 16 CVEs patched — several exploitable without authentication

· Security · IDPTrust

Keycloak 26.6.2 was released on May 19, 2026, and it is almost entirely a security release: 16 CVEs fixed in a single release. Several affect the OIDC login flow, redirect URI validation, and the SAML endpoint. If your Keycloak instance is exposed to the internet, this update is a priority.

Here are the points that matter most.

The most urgent ones

CVE-2026-7504 · CVSS 8.1 (High) — Redirect URI validation bypass

A flaw in how Keycloak validates redirect URIs configured with a wildcard (*) pattern allows an attacker to bypass the allowed-path restriction and redirect the authorization flow to an attacker-controlled destination. The usual consequence is access token theft.

CVE-2026-7507 · CVSS 7.5 (High) — Session fixation in the OIDC login flow

A flaw in the OIDC login flow lets an attacker fix the victim's session and, after the user authenticates legitimately, take over the account. No complex social engineering required — the victim only needs to start the login from an attacker-controlled link.

CVE-2026-7307 · CVSS 7.5 (High) — Denial of service on the /saml endpoint

A crafted XML input to the SAML endpoint causes excessive CPU consumption and thread starvation. Exploitable remotely and without authentication. Relevant if you expose SAML federation publicly.

CVE-2026-7571 · CVSS 7.1 (High) — Access token disclosure and implicit flow bypass

Through forged client data during session restart, an attacker with user credentials and the client ID can obtain access tokens, defeating the control that disables the implicit flow on OIDC clients.

Access control and data leakage

  • CVE-2026-4630 — IDOR in the Authorization Services Protection API.
  • CVE-2026-4628 · CVSS 5.8 — Improper access control on UMA resource management endpoints.
  • CVE-2026-37981 — PII enumeration via Account Resources User Lookup.
  • CVE-2026-37978 — Cross-role PII leak via the evaluate-scopes endpoints.
  • CVE-2026-37979 — OIDC introspection endpoint does not enforce audience restriction.

If you use UMA 2.0 or Authorization Services, review this list carefully.

XSS, replay and WebAuthn

  • CVE-2026-37980 · CVSS 6.9 — Stored XSS in select-organization.ftl (affects the Organizations feature).
  • CVE-2026-37982 — Replay of the execute-actions token allows unauthorized WebAuthn credential enrollment.
  • CVE-2026-6856 — AAGUID policy bypass in WebAuthn via packed self-attestation.

Infrastructure and dependencies

  • CVE-2026-33871 — HTTP/2 CONTINUATION frame flood (DoS).
  • CVE-2026-33870 — HTTP request smuggling via chunked extension parsing.
  • CVE-2026-5588 and additional Bouncy Castle vulnerabilities, patched via the Quarkus 3.33.1.1 upgrade.

Should you update?

Yes, and don't wait for the next maintenance window. Several of these vulnerabilities — session fixation, redirect URI bypass, SAML DoS — are exploitable without prior authentication. The attack surface is any instance reachable over the network.

Full release notes: keycloak.org/2026/05/keycloak-2662-released

At IDPTrust we specialize in Keycloak in production. If you need help assessing the impact of this release on your setup or planning the upgrade, get in touch.