What is the CVSS score of CVE-2026-37979?

CVE-2026-37979 has a CVSS 3.1 base score of 6.5 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-37979?

Yes, a patch is available for CVE-2026-37979. Update the affected software to the latest version immediately.

Red Hat Keycloak CVE-2026-37979

EUVD-2026-30887 MEDIUM

Improper Access Control (CWE-284)

2026-05-19 redhat

GHSA-4x37-hw65-52w8

Authentication Bypass Red Hat

6.5

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

May 19, 2026 - 12:02 vuln.today

DescriptionNVD

A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other resource servers, compromising the confidentiality of lightweight access tokens. This issue can be exploited remotely by any confidential client in the realm with valid credentials.

AnalysisAI

Audience restriction bypass in Keycloak's OpenID Connect token introspection endpoint exposes sensitive token claims to unauthorized confidential clients. Any attacker-controlled confidential client holding valid realm credentials can query the introspection endpoint and retrieve claims from lightweight access tokens issued to other resource servers - violating the isolation guarantees of audience-scoped tokens. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory