2455328 – (CVE-2026-37979) CVE-2026-37979 keycloak: Keycloak: Information disclosure via OIDC token introspection endpoint audience bypass

Bug 2455328 (CVE-2026-37979) - CVE-2026-37979 keycloak: Keycloak: Information disclosure via OIDC token introspection endpoint audience bypass

Summary: CVE-2026-37979 keycloak: Keycloak: Information disclosure via OIDC token intr...

Keywords:
Status:	NEW
Alias:	CVE-2026-37979
Deadline:	2026-06-23
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2026-04-06 07:58 UTC by OSIDB Bzimport
Modified:	2026-05-19 10:46 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2026-04-06 07:58:16 UTC

Access control vulnerability in Keycloak’s OIDC token introspection endpoint. The flaw is caused by not enforcing that the introspecting client is included in the token’s aud claim before returning introspection results. When a confidential attacker-controlled client obtains or intercepts an access token issued to a different audience, it can call the introspection endpoint and receive the full claim set, including claims intentionally omitted from lightweight access tokens. This can be exploited remotely by any confidential client in the realm with valid credentials. The vulnerability breaks the confidentiality model of lightweight tokens and allows unintended clients to recover sensitive attributes meant only for the legitimate resource server.

Note You need to log in before you can comment on or make changes to this bug.