CVE-2026-7500

ADVISORY - github

Summary

When Keycloak is started with --features-disabled=account,account-api, the Account REST API is only partially disabled. Five endpoints under the versioned path /account/v1alpha1 remain fully functional — including both read and write operations — because they lack the checkAccountApiEnabled() gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.

EPSS Score⁠: 0.00026 (0.073)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-425⁠

Direct Request ('Forced Browsing')

ADVISORY - github

CWE-425⁠

Direct Request ('Forced Browsing')

ADVISORY - redhat

CWE-425⁠

Direct Request ('Forced Browsing')

Impacted images

Advisories

NIST

CREATED

20 days ago

UPDATED

15 days ago

ADVISORY IDCVE-2026-7500⁠

EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-425⁠

CVSS SCORE

5.4medium

GitHub

CREATED

20 days ago

UPDATED

14 days ago

ADVISORY IDGHSA-hm32-hfmw-rhvg⁠

EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-425⁠

CVSS SCORE

5.4medium

Red Hat

CREATED

21 days ago

UPDATED

20 days ago

ADVISORY IDCVE-2026-7500⁠

EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-425⁠

CVSS SCORE

5.4medium

Chainguard

CREATED

10 days ago

UPDATED

10 days ago

ADVISORY ID

CGA-q8rh-w844-w94h

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

18 hours ago

UPDATED

18 hours ago

ADVISORY ID

MINI-4wph-75wx-fjpq

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY

minimos

CREATED

18 hours ago

UPDATED

18 hours ago

ADVISORY ID

MINI-8rg5-9gr6-p585

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY