CVE-2026-7507: Keycloak Session Fixation Vulnerability in Login Actions Endpoints

CVE-2026-7507 describes a session fixation vulnerability affecting Keycloak’s login-actions endpoints. An unauthenticated attacker can exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. The vulnerability lies in the insufficient CSRF protection and lack of cookie ownership validation of the /login-actions/restart endpoint. By exploiting this, an attacker can reset the authentication flow state, causing Keycloak to transparently authenticate the victim upon clicking the malicious link, which allows the attacker to hijack the required-action form without needing the victim’s credentials. This exploit can lead to complete account takeover, even of highly privileged administrative accounts.

Attack Chain

1. The attacker pre-creates an authentication session on the Keycloak server.
2. The attacker crafts a malicious URL that points to the /login-actions/restart endpoint, embedding the pre-created session identifier.
3. The attacker sends the malicious URL to the victim, typically through phishing or social engineering.
4. The victim clicks the malicious link, sending a request to the /login-actions/restart endpoint.
5. Due to the lack of CSRF protection and cookie ownership validation on the /login-actions/restart endpoint, Keycloak resets the authentication flow state using the attacker’s pre-created session.
6. The victim attempts to log in or is transparently authenticated if already logged into SSO.
7. The attacker intercepts or hijacks the required-action form, bypassing normal authentication procedures.
8. The attacker gains control of the victim’s account, potentially gaining access to sensitive data and administrative privileges.

Impact

A successful exploit of CVE-2026-7507 can lead to complete account takeover of Keycloak users. This includes the potential compromise of highly privileged administrative accounts, resulting in unauthorized access to sensitive data, system configuration, and control over the Keycloak realm. This can severely impact the confidentiality, integrity, and availability of applications and services protected by Keycloak.

Recommendation

• Deploy the Sigma rule to detect requests to the /login-actions/restart endpoint without proper CSRF protection.
• Apply the latest Keycloak patch or upgrade to a version that addresses CVE-2026-7507 as soon as it becomes available.
• Implement and enforce robust CSRF protection mechanisms across all Keycloak endpoints, especially those handling authentication-related actions.
• Monitor web server logs for suspicious activity related to the /login-actions/restart endpoint, such as unexpected or unauthenticated requests.