Issued:
2026-05-20
Updated:
2026-05-20

RHSA-2026:19596 - Important: Red Hat build of Keycloak 26.4.12 Security Update

Synopsis

Important: Red Hat build of Keycloak 26.4.12 Security Update

Type/Severity

Security Advisory Important

Topic

New Red Hat build of Keycloak 26.4.12 packages are available from the Customer Portal

Description

Red Hat build of Keycloak 26.4.12 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.

Security fixes:

  • Denial of Service via specially crafted SAML input (CVE-2026-7307)
  • Information Disclosure via evaluate-scopes Admin API (CVE-2026-37978)
  • Unauthorized account takeover via WebAuthn token replay (CVE-2026-37982)
  • Information disclosure via OIDC token introspection endpoint audience bypass (CVE-2026-37979)
  • Access token disclosure and implicit flow bypass via forged client data (CVE-2026-7571)
  • Session fixation in OIDC login flow that can lead to account takeover (CVE-2026-7507)
  • Open redirect when using wildcard valid redirect URIs in Keycloak (CVE-2026-7504)
  • Information disclosure via broken access control in user lookup endpoint (CVE-2026-37981)
  • Unauthorized resource access and data modification via Insecure Direct Object Reference (CVE-2026-4630)

Solution

Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.

Affected Products

ProductVersionArch
Red Hat build of KeycloakText-only Advisoriesx86_64

Fixes

(none)

CVEs

References

Additional information