EUVD-2026-26381CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 75 maven packages depend on org.keycloak:keycloak-services (41 direct, 34 indirect)
Ecosystem-wide dependent count for version 26.6.1.
DescriptionNVD
When Keycloak is started with --features-disabled=account,account-api, the Account REST API is only partially disabled. Five endpoints under the versioned path /account/v1alpha1 remain fully functional - including both read and write operations - because they lack the checkAccountApiEnabled() gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.
AnalysisAI
Keycloak's Account REST API remains partially accessible even when explicitly disabled via the --features-disabled=account,account-api flag, allowing authenticated users to read and modify account data through five unprotected endpoints under /account/v1alpha1/ that lack the required checkAccountApiEnabled() access control gate present in four sibling endpoints within the same service class.
Sign in for full analysis, threat intelligence, and remediation guidance.
More from same product – last 7 days
Command injection in the shell-quote npm package allows attackers who can influence object-token inputs to inject arbitr
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today