CVE-2026-37979

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description An access control flaw exists in the OpenID Connect (OIDC) token introspection endpoint. This issue allows a confidential client with valid credentials to bypass audience restrictions and retrieve sensitive token claims intended for other resource servers, which compromises the confidentiality of lightweight access tokens. The flaw can be exploited remotely by any confidential client within the realm.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.