ZeroPath at Black Hat USA 2026

Brief Summary: Keycloak CVE-2026-7507 Session Fixation Vulnerability Enables Admin Account Takeover

A short review of CVE-2026-7507, a high severity session fixation flaw in Keycloak's login-actions endpoints that allows an unauthenticated attacker to hijack authentication flows and take over accounts, including the master realm admin.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-19

Brief Summary: Keycloak CVE-2026-7507 Session Fixation Vulnerability Enables Admin Account Takeover
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A session fixation flaw in Keycloak's authentication flow allows an unauthenticated attacker to silently hijack a victim's Single Sign On session and take over their account, including the master realm administrator. On a default Keycloak deployment, Red Hat has confirmed the demonstrated impact is full takeover of the most privileged account in the system.

Keycloak is a widely adopted open source identity and access management platform, used by organizations to provide SSO, user federation, and fine grained authorization for applications and services. Red Hat provides enterprise support through the Red Hat Build of Keycloak (formerly Red Hat Single Sign On), making it a foundational component in many enterprise security architectures.

Technical Information

CVE-2026-7507 is classified under CWE-290 (Authentication Bypass by Spoofing) and carries a CVSS 3.1 base score of 7.5 with the vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability resides in Keycloak's /login-actions/restart endpoint, which is part of the broader login-actions endpoint family responsible for managing authentication session state.

Root Cause

The /login-actions/restart endpoint accepts and processes authentication session handles without performing two critical security checks:

  1. No CSRF token validation: The endpoint does not verify that the request originated from a legitimate user action within the expected authentication flow.
  2. No cookie ownership validation: The endpoint does not confirm that the session handle being processed belongs to the browser (and therefore the user) making the request.

This combination means an externally supplied session handle is trusted at face value, allowing an attacker to inject their own pre-created session into a victim's browser context.

Attack Flow

The exploitation proceeds through a well defined sequence:

  1. Session pre-creation: The attacker, who is unauthenticated, initiates an authentication session against the target Keycloak instance. This generates a session handle that the attacker controls.

  2. Link crafting: The attacker constructs a malicious URL pointing to the /login-actions/restart endpoint, embedding the pre-created session handle as a parameter.

  3. Victim interaction: The attacker delivers this link to the victim through any social engineering channel (email, chat, embedded in a page). The victim clicks the link.

  4. Flow state reset: When the victim's browser hits the /login-actions/restart endpoint, Keycloak resets the authentication flow state using the attacker-controlled session handle. Because there is no CSRF check or cookie ownership verification, this reset is accepted without question.

  5. Silent SSO authentication: If the victim already has an active SSO session with the Keycloak instance (a common scenario in enterprise environments where users remain logged in), the reset causes SSO to fire transparently. The victim is authenticated into the attacker-controlled session without being prompted for credentials.

  6. Required action hijack: The attacker can now claim the resulting required-action form. Since the session was pre-created by the attacker, they retain access to the session context and can complete any required actions (such as password resets or account configuration) on behalf of the now-authenticated victim.

CVSS Vector Breakdown

ComponentValueMeaning
Attack VectorNetwork (AV:N)Exploitable remotely over the network
Attack ComplexityHigh (AC:H)Requires specific conditions (victim must have active SSO session)
Privileges RequiredNone (PR:N)Attacker needs no prior authentication
User InteractionRequired (UI:R)Victim must click the crafted link
Confidentiality ImpactHigh (C:H)Full access to victim account data
Integrity ImpactHigh (I:H)Attacker can modify account settings and data
Availability ImpactHigh (A:H)Attacker can lock out the legitimate user

Community Context

This vulnerability does not exist in isolation. Community discussions have previously flagged concerns about the fragility of Keycloak's session handling in the restart flow. GitHub Issue 43896 documents a RESTART_AUTHENTICATION_ERROR occurring during registration flows with email verification, where the /login-actions/restart endpoint disrupts the authentication session context. Separately, GitHub Discussion 37070 raised concerns about Keycloak not generating new AUTH_SESSION_ID values after successful authentication, pointing to broader session fixation risks in the authentication process.

Affected Package

The affected package identified by Red Hat is rhbk/keycloak-rhel9-operator, which is part of the Red Hat Build of Keycloak distribution. The upstream org.keycloak/keycloak-services module is where the vulnerable code resides, as indicated by the Bugzilla entry title.

Affected Systems and Versions

Red Hat has identified the following as affected:

ProductPackage
Red Hat Build of Keycloakrhbk/keycloak-rhel9-operator

Specific affected version ranges have not been published in the available advisories. The upstream Keycloak project (org.keycloak/keycloak-services) is the source of the vulnerability. Organizations running any version of Keycloak or the Red Hat Build of Keycloak should treat this as potentially applicable until Red Hat publishes fixed version numbers.

Vendor Security History

Keycloak has seen several notable security issues disclosed in 2026, reflecting the complexity inherent in identity and access management software:

AdvisoryDescription
GHSA-h4wv-g838-66g3Application level Denial of Service via scope processing; an unauthenticated attacker could send a crafted POST request to cause DoS
GHSA-hj93-h7pg-fh6vPrivilege escalation via forged authorization codes due to lack of namespace isolation in SingleUseObjectProvider
GHSA-f2hx-5fx3-hmcvUMA policy resource injection allowing an attacker to gain unauthorized permissions and obtain a Requesting Party Token
CVE-2026-2575Denial of Service via highly compressed SAMLRequest sent by an unauthenticated remote attacker

This pattern shows that the Keycloak maintainers actively identify and disclose vulnerabilities, but also that the authentication and authorization surface area of the product continues to yield complex flaws.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization