{
  "threat_severity" : "Moderate",
  "public_date" : "2026-05-19T00:00:00Z",
  "bugzilla" : {
    "description" : "keycloak: Keycloak: Information disclosure via OIDC token introspection endpoint audience bypass",
    "id" : "2455328",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2455328"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "details" : [ "A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other resource servers, compromising the confidentiality of lightweight access tokens. This issue can be exploited remotely by any confidential client in the realm with valid credentials.", "A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other resource servers, compromising the confidentiality of lightweight access tokens. This issue can be exploited remotely by any confidential client in the realm with valid credentials." ],
  "statement" : "Moderate impact: Keycloak's OIDC token introspection endpoint fails to enforce audience validation, allowing a confidential client to retrieve sensitive token claims intended for a different audience. This compromises the confidentiality of lightweight tokens within Red Hat Build of Keycloak.",
  "acknowledgement" : "Red Hat would like to thank Herdiyan Adam Putra for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat build of Keycloak 26.4",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19597",
    "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9",
    "package" : "rhbk/keycloak-operator-bundle:26.4.12-1"
  }, {
    "product_name" : "Red Hat build of Keycloak 26.4",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19597",
    "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9",
    "package" : "rhbk/keycloak-rhel9:26.4-17"
  }, {
    "product_name" : "Red Hat build of Keycloak 26.4",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19597",
    "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9",
    "package" : "rhbk/keycloak-rhel9-operator:26.4-17"
  }, {
    "product_name" : "Red Hat build of Keycloak 26.4.12",
    "release_date" : "2026-05-20T00:00:00Z",
    "advisory" : "RHSA-2026:19596",
    "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9",
    "package" : "rhbk/keycloak-rhel9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-37979\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-37979" ],
  "name" : "CVE-2026-37979",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}