CVE-2026-7500

· NIST NVD ↗

When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.

MEDIUM
CVSS severity
5.4
CVSS base score
2026-04-30
Published

CWE codes

CWE-425NVD-CWE-noinfo

Affected products

redhat:build_of_keycloak

Sources