{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-7507/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-7507"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Keycloak"],"_cs_severities":["high"],"_cs_tags":["session fixation","account takeover","keycloak","cve-2026-7507"],"_cs_type":"advisory","_cs_vendors":["Red Hat"],"content_html":"\u003cp\u003eCVE-2026-7507 describes a session fixation vulnerability affecting Keycloak\u0026rsquo;s login-actions endpoints. An unauthenticated attacker can exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. The vulnerability lies in the insufficient CSRF protection and lack of cookie ownership validation of the \u003ccode\u003e/login-actions/restart\u003c/code\u003e endpoint. By exploiting this, an attacker can reset the authentication flow state, causing Keycloak to transparently authenticate the victim upon clicking the malicious link, which allows the attacker to hijack the required-action form without needing the victim\u0026rsquo;s credentials. This exploit can lead to complete account takeover, even of highly privileged administrative accounts.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker pre-creates an authentication session on the Keycloak server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL that points to the \u003ccode\u003e/login-actions/restart\u003c/code\u003e endpoint, embedding the pre-created session identifier.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious URL to the victim, typically through phishing or social engineering.\u003c/li\u003e\n\u003cli\u003eThe victim clicks the malicious link, sending a request to the \u003ccode\u003e/login-actions/restart\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDue to the lack of CSRF protection and cookie ownership validation on the \u003ccode\u003e/login-actions/restart\u003c/code\u003e endpoint, Keycloak resets the authentication flow state using the attacker\u0026rsquo;s pre-created session.\u003c/li\u003e\n\u003cli\u003eThe victim attempts to log in or is transparently authenticated if already logged into SSO.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts or hijacks the required-action form, bypassing normal authentication procedures.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control of the victim\u0026rsquo;s account, potentially gaining access to sensitive data and administrative privileges.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful exploit of CVE-2026-7507 can lead to complete account takeover of Keycloak users. This includes the potential compromise of highly privileged administrative accounts, resulting in unauthorized access to sensitive data, system configuration, and control over the Keycloak realm. This can severely impact the confidentiality, integrity, and availability of applications and services protected by Keycloak.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule to detect requests to the \u003ccode\u003e/login-actions/restart\u003c/code\u003e endpoint without proper CSRF protection.\u003c/li\u003e\n\u003cli\u003eApply the latest Keycloak patch or upgrade to a version that addresses CVE-2026-7507 as soon as it becomes available.\u003c/li\u003e\n\u003cli\u003eImplement and enforce robust CSRF protection mechanisms across all Keycloak endpoints, especially those handling authentication-related actions.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to the \u003ccode\u003e/login-actions/restart\u003c/code\u003e endpoint, such as unexpected or unauthenticated requests.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-19T12:18:08Z","date_published":"2026-05-19T12:18:08Z","id":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-7507-keycloak-session-fixation/","summary":"A session fixation vulnerability in Keycloak's /login-actions/restart endpoint allows an unauthenticated attacker to hijack a user's session by crafting a malicious link that resets the authentication flow, potentially leading to account takeover.","title":"CVE-2026-7507: Keycloak Session Fixation Vulnerability in Login Actions Endpoints","url":"https://feed.craftedsignal.io/briefs/2026-05-cve-2026-7507-keycloak-session-fixation/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-7507","version":"https://jsonfeed.org/version/1.1"}