CVE-2026-7507

Description

A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint—which processes session handles without adequate CSRF protection or cookie ownership validation—an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim's credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts.

How to fix CVE-2026-7507

To remediate CVE-2026-7507, upgrade the affected package to a fixed version below.

• —upgrade to 26.6.2 or later

Is CVE-2026-7507 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-7507.

Affected packages (1)

• from 0, < 26.6.2

CVSS scores

References (11)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-7507
• PATCHgithub.com/keycloak/keycloak
• WEBaccess.redhat.com/errata/RHSA-2026:19594
• WEBaccess.redhat.com/errata/RHSA-2026:19595
• WEBaccess.redhat.com