Keycloak Session Fixation Flaw Allows Account Takeover (CVE-2026-7507)

/HIGH /CVSS 7.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-290
Keycloak Session Fixation Flaw Allows Account Takeover (CVE-2026-7507)

The National Vulnerability Database has disclosed CVE-2026-7507, a high-severity session fixation vulnerability in Keycloak’s login-actions endpoints. This flaw, rated 7.5 CVSS (HIGH), allows an unauthenticated attacker to achieve complete account takeover, including highly privileged administrative accounts, without needing the victim’s credentials.

Attackers can pre-create an authentication session and then trick a victim into clicking a specially crafted link. The vulnerability lies in Keycloak’s /login-actions/restart endpoint, which, according to the National Vulnerability Database, inadequately handles session handles without proper CSRF protection or cookie ownership validation. This oversight enables an attacker to reset the authentication flow state, causing the victim’s Single Sign-On (SSO) to authenticate them transparently upon clicking the malicious link. Once authenticated, the attacker can hijack the required-action form, bypassing credential requirements.

This isn’t just a theoretical bypass; it’s a direct path to full compromise. For organizations leveraging Keycloak for identity and access management, especially with SSO, this vulnerability represents a critical risk. The attacker’s calculus here is straightforward: social engineering a click combined with a vulnerable endpoint yields full account control. This underscores the need for robust session management and strict validation at every stage of the authentication flow, particularly in critical components like SSO.

What This Means For You

  • If your organization uses Keycloak, this is a severe vulnerability that demands immediate attention. Account takeover without credentials is the holy grail for attackers. You need to identify all Keycloak instances within your environment and immediately look for patches or mitigation strategies for CVE-2026-7507. This flaw can lead to administrative account compromise, which is game over for your security posture.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1078.004 Cloud Accounts Persistence T1558.003 Steal Web Session Cookie Credential Access

🛡️ Detection Rules

6 rules · 6 SIEM formats

6 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

Web Application Exploitation Attempt — CVE-2026-7507

Sigma YAML — free preview 
title: Web Application Exploitation Attempt — CVE-2026-7507
id: scw-2026-05-19-1
status: experimental
level: high
description: |
  Detects common exploitation patterns targeting web applications. Review CVE-2026-7507 advisories for specific indicators.
author: SCW Feed Engine (auto-generated)
date: 2026-05-19
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7507/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri-query|contains:
        - '..'
        - 'SELECT'
        - 'UNION'
        - '<script'
        - 'cmd='
        - '/etc/passwd'
      condition: selection
falsepositives:
  - Legitimate activity from CVE-2026-7507

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7507 Session Fixation Keycloak login-actions endpoints
CVE-2026-7507 Auth Bypass Keycloak /login-actions/restart endpoint
CVE-2026-7507 Keycloak

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 19, 2026 at 15:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma