Introduction
A session fixation flaw in Keycloak's authentication flow allows an unauthenticated attacker to silently hijack a victim's Single Sign On session and take over their account, including the master realm administrator. On a default Keycloak deployment, Red Hat has confirmed the demonstrated impact is full takeover of the most privileged account in the system.
Keycloak is a widely adopted open source identity and access management platform, used by organizations to provide SSO, user federation, and fine grained authorization for applications and services. Red Hat provides enterprise support through the Red Hat Build of Keycloak (formerly Red Hat Single Sign On), making it a foundational component in many enterprise security architectures.
Technical Information
CVE-2026-7507 is classified under CWE-290 (Authentication Bypass by Spoofing) and carries a CVSS 3.1 base score of 7.5 with the vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability resides in Keycloak's /login-actions/restart endpoint, which is part of the broader login-actions endpoint family responsible for managing authentication session state.
Root Cause
The /login-actions/restart endpoint accepts and processes authentication session handles without performing two critical security checks:
- No CSRF token validation: The endpoint does not verify that the request originated from a legitimate user action within the expected authentication flow.
- No cookie ownership validation: The endpoint does not confirm that the session handle being processed belongs to the browser (and therefore the user) making the request.
This combination means an externally supplied session handle is trusted at face value, allowing an attacker to inject their own pre-created session into a victim's browser context.
Attack Flow
The exploitation proceeds through a well defined sequence:
-
Session pre-creation: The attacker, who is unauthenticated, initiates an authentication session against the target Keycloak instance. This generates a session handle that the attacker controls.
-
Link crafting: The attacker constructs a malicious URL pointing to the
/login-actions/restartendpoint, embedding the pre-created session handle as a parameter. -
Victim interaction: The attacker delivers this link to the victim through any social engineering channel (email, chat, embedded in a page). The victim clicks the link.
-
Flow state reset: When the victim's browser hits the
/login-actions/restartendpoint, Keycloak resets the authentication flow state using the attacker-controlled session handle. Because there is no CSRF check or cookie ownership verification, this reset is accepted without question. -
Silent SSO authentication: If the victim already has an active SSO session with the Keycloak instance (a common scenario in enterprise environments where users remain logged in), the reset causes SSO to fire transparently. The victim is authenticated into the attacker-controlled session without being prompted for credentials.
-
Required action hijack: The attacker can now claim the resulting required-action form. Since the session was pre-created by the attacker, they retain access to the session context and can complete any required actions (such as password resets or account configuration) on behalf of the now-authenticated victim.
CVSS Vector Breakdown
| Component | Value | Meaning |
|---|---|---|
| Attack Vector | Network (AV:N) | Exploitable remotely over the network |
| Attack Complexity | High (AC:H) | Requires specific conditions (victim must have active SSO session) |
| Privileges Required | None (PR:N) | Attacker needs no prior authentication |
| User Interaction | Required (UI:R) | Victim must click the crafted link |
| Confidentiality Impact | High (C:H) | Full access to victim account data |
| Integrity Impact | High (I:H) | Attacker can modify account settings and data |
| Availability Impact | High (A:H) | Attacker can lock out the legitimate user |
Community Context
This vulnerability does not exist in isolation. Community discussions have previously flagged concerns about the fragility of Keycloak's session handling in the restart flow. GitHub Issue 43896 documents a RESTART_AUTHENTICATION_ERROR occurring during registration flows with email verification, where the /login-actions/restart endpoint disrupts the authentication session context. Separately, GitHub Discussion 37070 raised concerns about Keycloak not generating new AUTH_SESSION_ID values after successful authentication, pointing to broader session fixation risks in the authentication process.
Affected Package
The affected package identified by Red Hat is rhbk/keycloak-rhel9-operator, which is part of the Red Hat Build of Keycloak distribution. The upstream org.keycloak/keycloak-services module is where the vulnerable code resides, as indicated by the Bugzilla entry title.
Affected Systems and Versions
Red Hat has identified the following as affected:
| Product | Package |
|---|---|
| Red Hat Build of Keycloak | rhbk/keycloak-rhel9-operator |
Specific affected version ranges have not been published in the available advisories. The upstream Keycloak project (org.keycloak/keycloak-services) is the source of the vulnerability. Organizations running any version of Keycloak or the Red Hat Build of Keycloak should treat this as potentially applicable until Red Hat publishes fixed version numbers.
Vendor Security History
Keycloak has seen several notable security issues disclosed in 2026, reflecting the complexity inherent in identity and access management software:
| Advisory | Description |
|---|---|
| GHSA-h4wv-g838-66g3 | Application level Denial of Service via scope processing; an unauthenticated attacker could send a crafted POST request to cause DoS |
| GHSA-hj93-h7pg-fh6v | Privilege escalation via forged authorization codes due to lack of namespace isolation in SingleUseObjectProvider |
| GHSA-f2hx-5fx3-hmcv | UMA policy resource injection allowing an attacker to gain unauthorized permissions and obtain a Requesting Party Token |
| CVE-2026-2575 | Denial of Service via highly compressed SAMLRequest sent by an unauthenticated remote attacker |
This pattern shows that the Keycloak maintainers actively identify and disclose vulnerabilities, but also that the authentication and authorization surface area of the product continues to yield complex flaws.
References
- Red Hat CVE Page for CVE-2026-7507
- Red Hat Bugzilla: 2464145
- NVD Entry for CVE-2026-7507
- Red Hat CVE JSON Data
- Keycloak GitHub Issue 43896: RESTART_AUTHENTICATION_ERROR
- Keycloak GitHub Discussion 37070: Session Fixation in Authentication Process
- GHSA-h4wv-g838-66g3: Application Level DoS via Scope Processing
- GHSA-hj93-h7pg-fh6v: Privilege Escalation via Forged Authorization Codes
- GHSA-f2hx-5fx3-hmcv: UMA Policy Resource Injection
- Red Hat Single Sign On Extended Lifecycle Support



