Skip to content

[26.6][CVE-2026-7500] Improper Access Control on Keycloak Server#48799

Open
mabartos wants to merge 1 commit intokeycloak:release/26.6from
mabartos:backport-48715-26.6
Open

[26.6][CVE-2026-7500] Improper Access Control on Keycloak Server#48799
mabartos wants to merge 1 commit intokeycloak:release/26.6from
mabartos:backport-48715-26.6

Conversation

@mabartos
Copy link
Copy Markdown
Member

@mabartos mabartos commented May 7, 2026

@mabartos
[CVE-2026-7500] Improper Access Control on Keycloak Server when the a…
3fe8d60 
…ccount Account API feature is disabled

Closes keycloak#48709

Signed-off-by: Martin Bartoš <mabartos@redhat.com>
(cherry picked from commit 8e808ca)
@mabartos mabartos requested review from a team as code owners May 7, 2026 14:06
@mabartos mabartos changed the title [26.6] [CVE-2026-7500] Improper Access Control on Keycloak Server [26.6][CVE-2026-7500] Improper Access Control on Keycloak Server May 7, 2026
@mabartos mabartos linked an issue May 7, 2026 that may be closed by this pull request
[CVE-2026-7500] Improper Access Control on Keycloak Server when the account Account API feature is disabled #48709
Closed
keycloak-github-bot[bot]
keycloak-github-bot Bot reviewed May 7, 2026
View reviewed changes
Copy link
Copy Markdown

@keycloak-github-bot keycloak-github-bot Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unreported flaky test detected, please review

@keycloak-github-bot
Copy link
Copy Markdown

keycloak-github-bot Bot commented May 7, 2026

Unreported flaky test detected

If the flaky tests below are affected by the changes, please review and update the changes accordingly. Otherwise, a maintainer should report the flaky tests prior to merging the PR.

org.keycloak.testsuite.forms.AuthenticatorSubflowsTest2#testSubflow2

Keycloak CI - Forms IT (chrome)

java.lang.AssertionError: Expected AppPage but was PushTheButton (https://localhost:8543/auth/realms/test/login-actions/authenticate?execution=ef86a7e3-9604-4cd3-ad16-45b5968eb92a&client_id=test-app&tab_id=tQcwP3ipSpo&client_data=eyJydSI6Imh0dHBzOi8vbG9jYWxob3N0Ojg1NDMvYXV0aC9yZWFsbXMvbWFzdGVyL2FwcC9hdXRoIiwicnQiOiJjb2RlIn0)
	at org.junit.Assert.fail(Assert.java:89)
	at org.junit.Assert.assertTrue(Assert.java:42)
	at org.keycloak.testsuite.pages.AbstractPage.assertCurrent(AbstractPage.java:39)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
...

Report flaky test

@mabartos mabartos requested a review from vramik May 7, 2026 14:58
@mabartos
Copy link
Copy Markdown
Member Author

mabartos commented May 7, 2026

@vramik Could you check this backport, please? Thanks!

@mabartos mabartos self-assigned this May 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vramik vramik Awaiting requested review from vramik

1 more reviewer

@keycloak-github-bot keycloak-github-bot[bot] keycloak-github-bot[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

@mabartos mabartos

Labels

flaky-test team/cloud-native team/core-clients team/core-iam

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[CVE-2026-7500] Improper Access Control on Keycloak Server when the account Account API feature is disabled

1 participant

@mabartos