CVE Catalog

CVE-2026-7500

MediumCVSS 5.4
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.23%

14th percentile - higher than 14% of all known CVEs

Summary

A vulnerability in Keycloak causes the disabling of account and account-api features via the `--features-disabled` flag to be ineffective. Five REST API endpoints under `/account/v1alpha1` remain fully functional because they lack the `checkAccountApiEnabled()` gate that correctly blocks the other four endpoints in the same service class.

Risk Assessment

Organizations may unknowingly expose account features to users that were administratively disabled, increasing the risk of unauthorized access to data and write operations.

Recommendation

Update Keycloak to a version where the missing `checkAccountApiEnabled()` calls have been added to all endpoints in the service class handling the `/account/v1alpha1` path.

Original NVD description (English source)

When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS