Keycloak 26.6.2 — 16 CVEs across identity/auth/authz: OIDC session fixation (CVE-2026-7507), WebAuthn execute-actions replay (CVE-2026-37982), introspection audience bypass (CVE-2026-37979), cross-realm IDOR in Authz Services (CVE-2026-4630); BSI WID-SEC-2026-1612 HIGH

cve · item:keycloak-26-6-2-may-2026-16-cves-oidc-session-fix-webauthn-i

Coverage timeline

first 2026-05-21 → last 2026-05-21

Briefs

1 distinct

Sources cited

2 hosts

Sections touched

trending_vulns

Co-occurring entities

no co-occurrence

Story timeline

2026-05-21CTI Daily Brief — 2026-05-21
trending_vulnsFirst coverage. Keycloak 26.6.2 shipped 2026-05-19 fixing 16 CVEs. BSI CERT-Bund advisory 2026-05-20 HIGH risk. Operationally highest priority: OIDC session-fixation, WebAuthn execute-actions replay, introspection audience-restriction bypass, cross-realm IDOR in Authz Services, evaluate-scopes PII leak, AAGUID policy bypass. EU public-sector IAM hub (national digital identity, eHealth federations, EU institutions).

Where this entity is cited

trending_vulns1

Source distribution

keycloak.org1 (50%)
wid.cert-bund.de1 (50%)

External references

NVD · cve.org · CISA KEV

All cited sources (2)

Items in briefs about Keycloak 26.6.2 — 16 CVEs across identity/auth/authz: OIDC session fixation (CVE-2026-7507), WebAuthn execute-actions replay (CVE-2026-37982), introspection audience bypass (CVE-2026-37979), cross-realm IDOR in Authz Services (CVE-2026-4630); BSI WID-SEC-2026-1612 HIGH

No parsed item heading or body matches this entity yet. Items match by exact CVE id (for CVE entities), by lead-segment substring of the title in the item heading or body, or by a distinctive anchor token from the title appearing in the item heading. Coverage that lives inside a broader section (no per-item heading) is captured by the Story timeline above.