PatchSiren cyber security CVE debrief
CVE-2026-37979 Red Hat CVE debrief
CVE-2026-37979 is a medium-severity access control issue in Keycloak's OpenID Connect token introspection flow. A confidential client with valid credentials may be able to bypass audience restrictions and retrieve sensitive token claims intended for other resource servers, creating a confidentiality exposure for lightweight access tokens.
- Vendor
- Red Hat
- Product
- Red Hat build of Keycloak 26.4
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-20
Who should care
Keycloak administrators, identity and access management teams, and operators of OIDC resource servers that rely on token introspection should review this issue. Organizations using confidential clients in the same realm should pay particular attention to client credential handling and introspection controls.
Technical summary
The supplied NVD description says the flaw affects Keycloak's OIDC token introspection endpoint and allows audience restrictions to be bypassed by an attacker-controlled confidential client with valid credentials. The published CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) indicates remote exploitation, low attack complexity, required client-level privileges, no user interaction, and confidentiality impact only. The issue can expose token claims that were intended for different resource servers.
Defensive priority
Medium. The issue is remotely reachable by a valid confidential client and can disclose sensitive claims, but the provided vector does not indicate integrity or availability impact. Prioritize if your deployment uses introspection-heavy OIDC flows or sensitive claims separation between resource servers.
Recommended defensive actions
- Review the Red Hat advisory and any Keycloak vendor guidance referenced for this CVE before making changes.
- Verify that only trusted confidential clients can use token introspection and that client credentials are protected and rotated appropriately.
- Audit introspection usage for unexpected access patterns, especially requests that appear to retrieve claims for other resource servers.
- Recheck audience enforcement and realm configuration to ensure resource-server separation is working as intended.
- Apply vendor updates or mitigations as soon as they are available in your supported Keycloak distribution.
- If exposure is suspected, rotate affected client secrets and review tokens and logs for unusual introspection activity.
Evidence notes
This debrief is based on the supplied NVD record, which describes the Keycloak OIDC token introspection audience-bypass issue and provides the CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The source corpus also includes official references to a Red Hat security page and a Red Hat Bugzilla ticket, but their contents were not provided here, so no additional fix details or version claims are made.
Official resources
Publicly disclosed on 2026-05-19 per the supplied CVE and NVD timestamps. No KEV listing is present in the provided data.