RHSA-2026:19596 - Security Advisory

Topic

New Red Hat build of Keycloak 26.4.12 packages are available from the Customer Portal

Description

Red Hat build of Keycloak 26.4.12 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications.

Security fixes:

• Denial of Service via specially crafted SAML input (CVE-2026-7307)
• Information Disclosure via evaluate-scopes Admin API (CVE-2026-37978)
• Unauthorized account takeover via WebAuthn token replay (CVE-2026-37982)
• Information disclosure via OIDC token introspection endpoint audience bypass (CVE-2026-37979)
• Access token disclosure and implicit flow bypass via forged client data (CVE-2026-7571)
• Session fixation in OIDC login flow that can lead to account takeover (CVE-2026-7507)
• Open redirect when using wildcard valid redirect URIs in Keycloak (CVE-2026-7504)
• Information disclosure via broken access control in user lookup endpoint (CVE-2026-37981)
• Unauthorized resource access and data modification via Insecure Direct Object Reference (CVE-2026-4630)

Solution

Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.

Affected Products

• Red Hat build of Keycloak Text-only Advisories x86_64

Fixes

CVEs

• CVE-2026-4630
• CVE-2026-7307
• CVE-2026-7504
• CVE-2026-7507
• CVE-2026-7571
• CVE-2026-37978
• CVE-2026-37979
• CVE-2026-37981
• CVE-2026-37982

References

• https://access.redhat.com/security/updates/classification/#important