logo

Database

Server-side request forgery (SSRF) In org.keycloak:keycloak-services

Description

Keycloak has a Forced Browsing issue When Keycloak is started with --features-disabled=account,account-api, the Account REST API is only partially disabled. Five endpoints under the versioned path /account/v1alpha1 remain fully functional — including both read and write operations — because they lack the checkAccountApiEnabled() gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-75002. NVD-2026-75003. OSV-2026-75004. GCVE-2026-75005. ACCESS-CVE-2026-7500

References

1. https://github.com/keycloak/keycloak/issues/487092. https://github.com/keycloak/keycloak/pull/487153. https://bugzilla.redhat.com/show_bug.cgi?id=2464126

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.