ctipilot.ch

Home · Live brief · Weekly 2026-W21

CVE-2026-7507 (+15) — Keycloak 26.6.2: identity-provider cluster including OIDC session fixation and cross-realm IDOR

notable vulnerability discovered 2026-05-18 05:00 UTC

Part of run 2026-W21-473d6fa5 (weekly · Claude Opus 4.7)

Keycloak 26.6.2 fixed 16 CVEs across its identity, authentication and authorisation subsystems, including OIDC session fixation (CVE-2026-7507), WebAuthn execute-actions token replay (CVE-2026-37982), introspection audience bypass (CVE-2026-37979) and a cross-realm IDOR in Authorization Services (CVE-2026-4630); BSI CERT-Bund issued WID-SEC-2026-1612 at HIGH. Keycloak is the dominant open-source IAM in EU and Swiss public-sector and university SSO deployments — a session-fixation or cross-realm flaw in the IdP undermines every relying-party application behind it. Upgrade to 26.6.2; prioritise multi-realm deployments where the cross-realm IDOR has the widest blast radius.

vulnerabilities identity auth-bypass patch-available eu-nexus europe dach CVE-2026-7507 CVE-2026-37982 CVE-2026-37979 CVE-2026-4630