Keycloak Vulnerability CVE-2026-7571 Allows Implicit Flow Bypass

/HIGH /CVSS 7.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityinformation-disclosurecwe-472
Keycloak Vulnerability CVE-2026-7571 Allows Implicit Flow Bypass

The National Vulnerability Database has detailed a critical flaw, CVE-2026-7571, affecting Keycloak. This vulnerability allows a low-privilege attacker, possessing user credentials and a client ID, to circumvent security measures designed to disable the implicit OpenID Connect flow. By manipulating client data during a session restart, attackers can illicitly obtain access tokens that should be inaccessible.

This bypass is not merely theoretical. The National Vulnerability Database indicates that the compromised access tokens can be inadvertently exposed across various logging systems, including server logs, proxy logs, and even in HTTP Referrer headers. This exposure constitutes a significant sensitive information disclosure risk, potentially granting attackers broader access or enabling further compromise.

Defenders must prioritize patching Keycloak instances immediately. The CVSS score of 7.1 (HIGH) underscores the severity. Organizations should also review access control configurations, especially for OIDC clients, and audit logs for any signs of unusual token acquisition or exposure.

What This Means For You

  • If your organization uses Keycloak for identity and access management, you must verify that your Keycloak instances are patched against CVE-2026-7571. Additionally, audit your OIDC client configurations to ensure the implicit flow is correctly disabled and review logs for any evidence of token leakage, particularly in HTTP headers or proxy logs.

Indicators of Compromise

IDTypeIndicator
CVE-2026-7571 Auth Bypass Keycloak implicit flow bypass via client data manipulation during session restart
CVE-2026-7571 Information Disclosure Keycloak exposure of access tokens in server logs, proxy logs, and HTTP Referrer headers

Written by SCW Vulnerability Desk

🔎
Check Keycloak exposure to CVE-2026-7571 Use /org keycloak.com to check for related threats.
Open Intel Bot →
Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 19, 2026 at 15:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma