CVE•Published 2026-04-30•Modified 2026-06-26•0 articles on news•6 live references•NVD data
CVE-2026-7500Redhat · Build_of_keycloak
Vulnerability data via NVD (ingested)
CVSS v3.1
5.4
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
EPSS percentile
13
Exploit Prediction Scoring System · top 87% of all CVEs
Weaknesses (CWE)
Description
When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.
Timeline
Published 2026-04-30
Modified 2026-06-26
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
Shodan · vuln tag0 hosts
vuln:CVE-2026-7500Hosts Shodan has explicitly fingerprinted as vulnerable.
Shodan · product
product:"Redhat Build Of Keycloak"All exposed Redhat Build Of Keycloak instances — cross-reference with the CVE's affected-version range.
Shodan · banner/body mention
http.html:"Build Of Keycloak"HTTP body or banner mentions "Build Of Keycloak" — catches deploys Shodan didn't identify as a product.
More intel sources (5)
Shodan report
vuln:CVE-2026-7500Country / ASN / product breakdown for the vuln query.
Censys
vulnerabilities.cve_id: CVE-2026-7500Censys host search filtered to this CVE id.
grep.app
CVE-2026-7500Public source-code mentions — fast PoC discovery.
GitHub code
CVE-2026-7500GitHub code search for direct mentions.
Google dork
"CVE-2026-7500" exploit -site:nvd.nist.govWrite-ups and news, NVD excluded.
Known PoCs on GitHub (8)
CVE-2026-75008 repos
xdavidhu/awesome-google-vrp-writeupsPython
🐛 A list of writeups from the Google VRP Bug Bounty program
jaiswalakshansh/Facebook-BugBounty-Writeupsunknown
Collection of Facebook Bug Bounty Writeups
hiifong/starListPython
Export your star's repository list
hugefiver/mystarsunknown
mccright/referencesunknown
Collection of reusable references
odinb/Lenovo_Yoga_7_2-in-1_16AKP10unknown
Lenovo Yoga 7 2-in-1 16AKP10 (83JU / LNVNB161216)
Paullllllllllllllllll/ChronoMinerPython
A Python tool for extracting structured data from text files using multiple LLM providers (OpenAI, Anthropic Claude, Google Gemini, OpenRouter) via LangChain with JSON schema-based…
StrongWind1/KerberosJavaScript
Comprehensive reference for Kerberos authentication in Microsoft Active Directory — protocol internals, security configuration, and attack techniques.
We haven't classified any articles referencing CVE-2026-7500 yet. The external references above still apply.