This important update for Red Hat build of Keycloak 26.4.12 addresses multiple vulnerabilities, including a high-severity denial of service via crafted SAML input (CVE-2026-7307, CVSS 7.5), unauthorized account takeover via WebAuthn token replay, and several information disclosure flaws. The advisory mandates upgrading to version 26.4.12 to resolve these issues. Before applying the update, administrators must back up their existing installation, including all applications and configuration files.
Red Hat Product Errata RHSA-2026:19596 - Security Advisory Issued: 2026-05-20 Updated: 2026-05-20 RHSA-2026:19596 - Security Advisory Overview Synopsis Important: Red Hat build of Keycloak 26.4.12 Security Update Type/Severity Security Advisory: Important Topic New Red Hat build of Keycloak 26.4.12 packages are available from the Customer Portal Description Red Hat build of Keycloak 26.4.12 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. Security fixes: Denial of Service via specially crafted SAML input (CVE-2026-7307) Information Disclosure via evaluate-scopes Admin API (CVE-2026-37978) Unauthorized account takeover via WebAuthn token replay (CVE-2026-37982) Information disclosure via OIDC token introspection endpoint audience bypass (CVE-2026-37979) Access token disclosure and implicit flow bypass via forged client data (CVE-2026-7571) Session fixation in OIDC login flow that can lead to account takeover (CVE-2026-7507) Open redirect when using wildcard valid redirect URIs in Keycloak (CVE-2026-7504) Information disclosure via broken access control in user lookup endpoint (CVE-2026-37981) Unauthorized resource access and data modification via Insecure Direct Object Reference (CVE-2026-4630) Solution Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on. Affected Products Red Hat build of Keycloak Text-only Advisories x86_64 Fixes (none) CVEs CVE-2026-4630 CVE-2026-7307 CVE-2026-7504 CVE-2026-7507 CVE-2026-7571 CVE-2026-37978 CVE-2026-37979 CVE-2026-37981 CVE-2026-37982 References https://access.redhat.com/security/updates/classification/#important The Red Hat security contact is secalert@redhat.com . More contact details at https://access.redhat.com/security/team/contact/ .