CVE-2026-7507 (+15) — Keycloak 26.6.2: identity-provider cluster including OIDC session fixation and cross-realm IDOR

Keycloak 26.6.2 fixed 16 CVEs across its identity, authentication and authorisation subsystems, including OIDC session fixation (CVE-2026-7507), WebAuthn execute-actions token replay (CVE-2026-37982), introspection audience bypass (CVE-2026-37979) and a cross-realm IDOR in Authorization Services (CVE-2026-4630); BSI CERT-Bund issued WID-SEC-2026-1612 at HIGH. Keycloak is the dominant open-source IAM in EU and Swiss public-sector and university SSO deployments — a session-fixation or cross-realm flaw in the IdP undermines every relying-party application behind it. Upgrade to 26.6.2; prioritise multi-realm deployments where the cross-realm IDOR has the widest blast radius.