CVE-2026-7507Redhat · Build_of_keycloak
Vulnerability data via NVD (ingested)
A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint—which processes session handles without adequate CSRF protection or cookie ownership validation—an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim's credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2026-7507product:"Redhat Build Of Keycloak"http.html:"Build Of Keycloak"More intel sources (5)
vuln:CVE-2026-7507vulnerabilities.cve_id: CVE-2026-7507CVE-2026-7507CVE-2026-7507"CVE-2026-7507" exploit -site:nvd.nist.gov