CVE-2026-7507

High

Published: 19 May 2026

Published

19 May 2026

Modified

20 May 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0004 10.9th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-7507 is a high-severity Authentication Bypass by Spoofing (CWE-290) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, ranked at the 10.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-9 Previous Logon Notification

addresses: CWE-290

Reveals spoofed logon attempts through unexpected previous logon timestamps upon legitimate login.

AT-2 Literacy Training and Awareness

addresses: CWE-290

Training specifically addresses recognizing spoofed communications and phishing that enable authentication bypass.

IA-12 Identity Proofing

addresses: CWE-290

Requiring verifiable identity evidence at appropriate assurance levels makes it substantially harder for attackers to successfully spoof or impersonate users to obtain accounts.

IA-3 Device Identification and Authentication

addresses: CWE-290

Unique device authentication makes successful spoofing of device identity substantially more difficult to achieve.

IA-8 Identification and Authentication (Non-organizational Users)

addresses: CWE-290

Unique identification of non-organizational users reduces the feasibility of authentication bypass by spoofing.

IA-9 Service Identification and Authentication

addresses: CWE-290

Unique identification and authentication of services before communications makes spoofing of service identities substantially harder.

SC-11 Trusted Path

addresses: CWE-290

Isolated trusted path ensures the user interacts only with genuine system components, preventing spoofing of authentication interfaces or prompts.

SC-20 Secure Name/Address Resolution Service (Authoritative Source)

addresses: CWE-290

Directly counters DNS response spoofing by requiring cryptographic origin authentication artifacts from the authoritative source.

NVD Description

A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the /login-actions/restart endpoint—which processes session handles…

without adequate CSRF protection or cookie ownership validation—an attacker can reset the authentication flow state. This causes Single Sign-On (SSO) to authenticate the victim transparently upon clicking the link, allowing the attacker to hijack the required-action form without needing the victim's credentials. A successful exploit could lead to complete account takeover, including highly privileged administrative accounts.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-290

References

https://access.redhat.com/errata/RHSA-2026:19594
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2026:19595
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2026:19596
secalert@redhat.com
https://access.redhat.com/errata/RHSA-2026:19597
secalert@redhat.com
https://access.redhat.com/security/cve/CVE-2026-7507
secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2464145
secalert@redhat.com