Listen to this Post
CVE-2026-7507 is a session fixation vulnerability affecting Keycloak, an open-source identity and access management solution. The flaw resides in the `/login-actions/restart` endpoint, which processes session handles without adequate CSRF protection or cookie ownership validation. An unauthenticated attacker can exploit this vulnerability by pre-creating an authentication session and tricking a victim into visiting a specially crafted link. This link leverages the `/login-actions/restart` endpoint to reset the authentication flow state, causing Keycloak’s Single Sign-On (SSO) to authenticate the victim transparently. The attacker can then hijack the required-action form without ever needing the victim’s credentials. The underlying issue lies in the `SessionCodeChecks.java` logic, where an `auth_session_id` and related login-action parameters can be reused from a different browser session, forcing the server to accept a mismatched authentication session. A successful exploit leads to complete account takeover, including highly privileged administrative accounts. The vulnerability is classified under CWE-290 (Authentication Bypass by Spoofing) and carries a CVSS v3.1 base score of 7.5 (High), with the vector: AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H. This indicates the attack is network-based, requires high attack complexity, needs no privileges but does require user interaction, and has a significant impact on confidentiality, integrity, and availability. The vulnerability was published on May 19, 2026.
DailyCVE Form:
Platform: Keycloak
Version: <=26.6.1
Vulnerability : Session Fixation
Severity: High (7.5)
date: 2026-05-19
Prediction: Patch before 2026-06-02
Analytics under heading What Undercode Say:
Check Keycloak version $ grep -i "keycloak.version" pom.xml | head -n1 <keycloak.version>26.6.1</keycloak.version> Search for vulnerable endpoint usage $ grep -r "/login-actions/restart" keycloak/themes/ Test session fixation (Conceptual) $ curl -i -X GET "https://target.keycloak.com/auth/realms/master/login-actions/restart?session_code=malicious_session"
Exploit:
An attacker crafts a URL containing a known `auth_session_id` and sends it to a victim. Upon clicking, the victim authenticates to the attacker’s pre-created session. The attacker can then refresh the page to access the authenticated session, fully compromising the victim’s account.
Protection:
Upgrade to Keycloak version 26.6.2 or later, which includes a fix in the `SessionCodeChecks.java` logic. Implement additional CSRF tokens on the `/login-actions/restart` endpoint and enforce strict cookie-to-session binding.
Impact:
Complete account takeover, including compromise of highly privileged administrative accounts, leading to full control over the identity management system and all relying applications.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
