PatchSiren cyber security CVE debrief
CVE-2026-7571 Red Hat CVE debrief
CVE-2026-7571 describes a high-severity flaw in Keycloak’s OpenID Connect (OIDC) client handling. According to the supplied record, a low-privilege user who knows valid user credentials and a client ID may bypass the control intended to disable the implicit flow by manipulating client data during a session restart. The result can be unauthorized access token issuance, and those tokens may also be exposed in server logs, proxy logs, and HTTP Referrer headers. From a defensive perspective, this is both an authorization-control bypass and a sensitive-information disclosure issue.
- Vendor
- Red Hat
- Product
- Red Hat build of Keycloak 26.4
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-20
Who should care
Keycloak administrators, identity and access management teams, application security engineers, and operators of OIDC clients or reverse proxies that may log or forward sensitive request data should prioritize this issue.
Technical summary
The supplied NVD record maps this issue to CVSS 3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N and CWE-472. In practical terms, the flaw affects how Keycloak enforces a disabled implicit flow setting for OIDC clients. The description indicates that client data manipulation during a session restart can cause the disabled flow restriction to be bypassed, allowing an access token to be obtained when it should not be available. The same token may then surface in logs or referrer headers, expanding the impact beyond access-control failure to information disclosure.
Defensive priority
High. The issue combines network-reachable abuse, low-privilege prerequisites, token exposure, and direct confidentiality impact.
Recommended defensive actions
- Review the Red Hat security advisory referenced in the NVD record for affected and fixed releases.
- Inventory Keycloak deployments that use OIDC clients with implicit flow disabled and verify whether session restart paths are exposed.
- Treat any access token that may have been exposed in logs, proxy traces, or referrer headers as compromised and revoke or expire it according to incident-response procedures.
- Search server, application, and proxy logs for unexpected token material and reduce retention or access where appropriate.
- Minimize sensitive data in logs and ensure referrer policies and reverse-proxy rules do not leak authorization artifacts.
- Apply vendor remediation as soon as a fixed release is confirmed for your deployment.
- Validate that client configuration and session-handling logic cannot be altered by low-privilege users during restart flows.
Evidence notes
The assessment is based only on the supplied corpus: the NVD record published on 2026-05-19, the CVE description, and the metadata that cites Red Hat advisory and Bugzilla references. The record includes CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N and CWE-472. No affected version list or fix version was provided in the corpus, so remediation details are limited to vendor-referenced guidance.
Official resources
Publicly disclosed and published in the supplied NVD record on 2026-05-19. The issue is not marked as CISA KEV-listed in the provided enrichment data.