Red Hat has released an important security update for its build of Keycloak 26.2.16, addressing three high-severity vulnerabilities: a SAML-based denial of service (CVE-2026-7307, CVSS 7.5), an OIDC session fixation leading to account takeover (CVE-2026-7507, CVSS 7.5), and an open redirect via wildcard redirect URIs (CVE-2026-7504, CVSS 8.1). The advisory instructs administrators to back up their existing installation before applying the update to version 26.2.16.
Red Hat Product Errata RHSA-2026:19594 - Security Advisory Issued: 2026-05-20 Updated: 2026-05-20 RHSA-2026:19594 - Security Advisory Overview Synopsis Important: Red Hat build of Keycloak 26.2.16 Security Update Type/Severity Security Advisory: Important Topic New Red Hat build of Keycloak 26.2.16 packages are available from the Customer Portal Description Red Hat build of Keycloak 26.2.16 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. Security fixes: Denial of Service via specially crafted SAML input (CVE-2026-7307) Session fixation in OIDC login flow that can lead to account takeover (CVE-2026-7507) Open redirect when using wildcard valid redirect URIs in Keycloak (CVE-2026-7504) Solution Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. Affected Products Red Hat build of Keycloak Text-only Advisories x86_64 Fixes (none) CVEs CVE-2026-7307 CVE-2026-7504 CVE-2026-7507 References https://access.redhat.com/security/updates/classification/#important The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .