CVE-2026-7500 Red Hat CVE debrief

Who should care

Organizations running Red Hat Build of Keycloak with the Account API explicitly disabled via feature flags, particularly those relying on that disablement for attack-surface reduction or compliance boundaries.

Technical summary

Keycloak's feature-disable mechanism for the Account API is incomplete. The `checkAccountApiEnabled()` guard is missing on five `/account/v1alpha1` endpoints, leaving them accessible despite the `--features-disabled=account,account-api` startup flag. Four other endpoints in the same service class are correctly blocked. An authenticated user with sufficient permissions can perform read and write operations through the remaining endpoints. The issue is tracked as Bugzilla 2464126 and addressed in RHSA-2026:25097 and RHSA-2026:25098.

Defensive priority

medium

Recommended defensive actions

• Apply the relevant Red Hat Security Advisories (RHSA-2026:25097 and RHSA-2026:25098) when available for your Keycloak deployment.
• Verify that `--features-disabled=account,account-api` is still configured as intended, but do not rely on this flag alone to fully disable the Account REST API until patched.
• Review access controls and permissions for accounts that could reach `/account/v1alpha1` endpoints, as authenticated users with appropriate permissions can still exercise read and write operations on the partially-exosed
• resourceLinkAnnotations
• resourceLinkAnnotations
• resourceLinkAnnotations
• resourceLinkAnnotations
• resourceLinkAnnotations

Evidence notes

The NVD record indicates this vulnerability was published on 2026-04-30 and modified on 2026-06-10. Red Hat has assigned two errata (RHSA-2026:25097 and RHSA-2026:25098) and tracks the issue in Bugzilla 2464126. The CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N with a base score of 5.4 (MEDIUM). CWE-425 (Direct Request) is listed as a secondary weakness source from Red Hat; NVD lists NVD-CWE-noinfo as the primary weakness classification.

Official resources