Vulnerabilities ›

CVE-2026-37979

Medium

                    Published: May 19, 2026                      ·  Modified: May 19, 2026                      ·  Source: NVD                

CVSS v3

6.5

🔗 NVD Official

📄 Description (English)

A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other resource servers, compromising the confidentiality of lightweight access tokens. This issue can be exploited remotely by any confidential client in the realm with valid credentials.

🤖 AI Executive Summary

A critical access control vulnerability in Keycloak's OIDC token introspection endpoint allows confidential clients to bypass audience restrictions and access sensitive token claims intended for other resource servers. This vulnerability can be exploited remotely by any authenticated confidential client in the realm, potentially compromising token confidentiality across integrated systems. The lack of available patches makes immediate compensating controls essential for Saudi organizations relying on Keycloak for identity and access management.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 19, 2026 16:49

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability poses significant risk to Saudi government agencies (NCA, CITC), banking sector (SAMA-regulated institutions, major banks), healthcare providers (MOH), and energy sector (ARAMCO, utilities) that use Keycloak for centralized identity management. The ability to bypass audience restrictions could allow attackers to access tokens intended for critical resource servers, potentially leading to unauthorized access to sensitive systems. Telecom operators (STC, Mobily) and financial institutions using Keycloak for OAuth2/OIDC authentication are particularly vulnerable. The impact extends to any organization with multi-tenant Keycloak deployments where confidential clients interact with multiple resource servers.

🏢 Affected Saudi Sectors

Banking and Financial Services Government and Public Administration Healthcare Energy and Utilities Telecommunications Education Insurance

🎯 MITRE ATT&CK Techniques

T1110 - Brute Force (credential-based exploitation) T1550 - Use Alternate Authentication Material (token manipulation) T1556 - Modify Authentication Process (OIDC bypass) T1087 - Account Discovery (token introspection abuse) T1526 - Gather Victim Identity Information (sensitive token claims extraction)

⚖️ Saudi Risk Score (AI)

7.8

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Audit all Keycloak instances in your environment to identify token introspection endpoint usage and confidential client configurations

2. Review access logs for suspicious token introspection requests from confidential clients accessing tokens outside their intended audience

3. Implement network segmentation to restrict token introspection endpoint access to trusted clients only

4. Enable detailed audit logging for all token introspection requests including client ID, requested token claims, and timestamps

COMPENSATING CONTROLS (until patch available):

5. Implement API gateway or WAF rules to validate audience claims before allowing token introspection responses

6. Restrict token introspection endpoint access via IP whitelisting to known resource servers only

7. Implement rate limiting on token introspection endpoints to detect anomalous access patterns

8. Deploy additional authorization checks at resource server level to validate token audience claims independently

9. Rotate credentials for all confidential clients and implement stricter credential management policies

10. Monitor for CVE-2026-37979 patch releases from Keycloak project and apply immediately upon availability

DETECTION RULES:

- Alert on token introspection requests where requested_token_audience does not match client_id

- Monitor for single confidential client accessing introspection endpoint for multiple different audiences

- Flag introspection requests returning claims for audiences outside the requesting client's scope

- Track failed audience validation attempts at resource server level

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تدقيق جميع نوى Keycloak في بيئتك لتحديد استخدام نقطة نهاية فحص الرموز وتكوينات العملاء السريين

2. مراجعة سجلات الوصول للطلبات المريبة لفحص الرموز من العملاء السريين الذين يصلون إلى رموز خارج جمهورهم المقصود

3. تنفيذ تقسيم الشبكة لتقييد وصول نقطة نهاية فحص الرموز للعملاء الموثوقين فقط

4. تفعيل تسجيل التدقيق التفصيلي لجميع طلبات فحص الرموز بما في ذلك معرف العميل والمطالبات المطلوبة والطوابع الزمنية



الضوابط التعويضية (حتى توفر التصحيح):

5. تنفيذ قواعد بوابة API أو WAF للتحقق من مطالبات الجمهور قبل السماح برد استجابات فحص الرموز

6. تقييد وصول نقطة نهاية فحص الرموز عبر القائمة البيضاء للعناوين IP للخوادم الموثوقة فقط

7. تنفيذ تحديد معدل على نقاط نهاية فحص الرموز للكشف عن أنماط الوصول الشاذة

8. نشر فحوصات تفويض إضافية على مستوى خادم الموارد للتحقق من مطالبات جمهور الرموز بشكل مستقل

9. تدوير بيانات اعتماد جميع العملاء السريين وتنفيذ سياسات إدارة بيانات اعتماد أكثر صرامة

10. مراقبة إصدارات تصحيح CVE-2026-37979 من مشروع Keycloak وتطبيقها فوراً عند توفرها



قواعد الكشف:

- تنبيه على طلبات فحص الرموز حيث لا يتطابق جمهور الرموز المطلوب مع معرف العميل

- مراقبة عميل سري واحد يصل إلى نقطة نهاية الفحص لعدة جماهير مختلفة

- وضع علامة على طلبات الفحص التي تُرجع مطالبات لجماهير خارج نطاق العميل الطالب

- تتبع محاولات التحقق من الجمهور الفاشلة على مستوى خادم الموارد

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

ECC 2024 A.9.2.1 - User access management and authentication controls ECC 2024 A.9.4.3 - Cryptographic controls for authentication tokens ECC 2024 A.13.1.1 - Network security and access control ECC 2024 A.14.2.1 - Vulnerability management and patch management

🔵 SAMA CSF

SAMA CSF ID.AM-2 - Software, hardware, and firmware inventory SAMA CSF PR.AC-1 - Access control policy and procedures SAMA CSF PR.AC-4 - Access rights and privileges management SAMA CSF DE.CM-1 - Detection and monitoring of unauthorized access

🟡 ISO 27001:2022

ISO 27001:2022 A.5.15 - Access control ISO 27001:2022 A.8.2 - Privileged access rights ISO 27001:2022 A.8.3 - Information access restriction ISO 27001:2022 A.14.2 - Vulnerability management

🟣 PCI DSS v4.0.1

PCI DSS 2.1 - Configuration standards for system components PCI DSS 6.2 - Security patches and updates PCI DSS 7.1 - Limit access to system components by business need PCI DSS 10.2 - Implement automated audit trails for access to cardholder data

🔗 References & Sources 2

🔗

https://access.redhat.com/security/cve/CVE-2026-37979

secalert@redhat.com

🔗

https://bugzilla.redhat.com/show_bug.cgi?id=2455328

secalert@redhat.com

📊 CVSS Score

6.5

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityN — None / Network

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score6.5

EPSS0.03%

Exploit No

Patch ✗ No

Published 2026-05-19

Source Feed nvd

🇸🇦 Saudi Risk Score

7.8

/ 10.0 — Saudi Risk

Priority: HIGH

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-37979

Introduce Yourself

Sign In Required