CVE-2026-7571
⚠️ highSummary
A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session restart, an attacker can obtain an access token that should not be available. This vulnerability can also lead to the exposure of these access tokens in server logs, proxy logs, and HTTP Referrer headers, resulting in sensitive information disclosure.
CVSS Score
7.1
High
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-19
First Seen: 2026-05-20
📊 Relative Risk Intelligence
This CVE is Moderate Risk - more severe than 53.4% of all 321,566 vulnerabilities in our database.
#149,865
Above average severity
Severity Percentile
🎯 CISA SSVC Assessment Updated: May 19, 2026
🔍 Exploitation Status
None
No known exploits
⚙️ Automatable
NO
Requires human interaction
💥 Technical Impact
Partial
Limited system impact
🏆 Discovered By
Red Hat would like to thank Evan Hendra for reporting this issue.
SSVC data provided by
CISA
Last Modified
2026-05-19
Source
NVD 🔗
CVSS Vector 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
CWE IDs (Weakness Types)