CVE-2026-7500

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description When the software is started with the --features-disabled=account,account-api flag, the Account REST API is only partially disabled. Five endpoints under the versioned path "/account/v1alpha1" remain fully functional for both read and write operations. This occurs because these endpoints lack the checkAccountApiEnabled() function gate that is used to block other endpoints within the same REST service class. Access to these endpoints still requires the user to have the necessary permissions to use the API.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.