CVE-2026-37979
Keycloak: keycloak: information disclosure via oidc token introspection endpoint audience bypass
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.5EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado
Lifecycle
19 May 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other resource servers, compromising the confidentiality of lightweight access tokens. This issue can be exploited remotely by any confidential client in the realm with valid credentials.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected products
Red Hat · Red Hat build of Keycloak 26.4Red Hat · Red Hat build of Keycloak 26.4.12Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →