CVE-2026-7500
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk14th percentile - higher than 14% of all known CVEs
Summary
A vulnerability in Keycloak causes the disabling of account and account-api features via the `--features-disabled` flag to be ineffective. Five REST API endpoints under `/account/v1alpha1` remain fully functional because they lack the `checkAccountApiEnabled()` gate that correctly blocks the other four endpoints in the same service class.
Risk Assessment
Organizations may unknowingly expose account features to users that were administratively disabled, increasing the risk of unauthorized access to data and write operations.
Recommendation
Update Keycloak to a version where the missing `checkAccountApiEnabled()` calls have been added to all endpoints in the service class handling the `/account/v1alpha1` path.
Original NVD description (English source)
When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkAccountApiEnabled()` gate that correctly blocks four other endpoints in the same REST service class. The user needs to have permissions to use the API.

