Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-04-30T00:00:00 org.keycloak.keycloak-services: Improper Access Control on Keycloak Server when the account Account API feature is disabled 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N CWE-425

When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.

This Moderate impact flaw in Keycloak allows authenticated users to bypass the intended disablement of the account and account-api features when Keycloak is started with `--features-disabled=account,account-api`. This bypass enables unauthorized read and write operations on specific account endpoints, despite the configuration aiming to restrict such access. Red Hat would like to thank Evan Hendra for reporting this issue. To reduce the attack surface, restrict network access to the Keycloak server's administration and API endpoints to trusted networks or hosts. This limits the ability of unauthorized users to interact with the server and potentially exploit this improper access control vulnerability. If the Keycloak service is reloaded or restarted, ensure that firewall rules or network access controls remain in effect. Red Hat Build of Keycloak Affected rhbk/keycloak-rhel9 https://www.cve.org/CVERecord?id=CVE-2026-7500 https://nvd.nist.gov/vuln/detail/CVE-2026-7500