logo

Database

Spoofing In org.keycloak:keycloak-services

Description

Keycloak: Session fixation in OIDC login flow that can lead to account takeover A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint—which processes session handles without adequate CSRF protection or cookie ownership validation—an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim's credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-75072. NVD-2026-75073. OSV-2026-75074. GCVE-2026-75075. access.redhat.com6. access.redhat.com7. access.redhat.com8. access.redhat.com9. ACCESS-CVE-2026-7507

References

1. https://github.com/keycloak/keycloak/pull/491342. https://github.com/keycloak/keycloak/commit/d791b270b9ea5203be40a9533c1c12c4d044fb523. https://bugzilla.redhat.com/show_bug.cgi?id=24641454. https://github.com/keycloak/keycloak/releases/tag/26.6.2

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.