CVE-2026-7507

Daily digests

An attacker can set up a Keycloak auth session ahead of time, then send a victim a crafted link. When the victim clicks it, Keycloak's SSO silently authenticates them into the attacker's pre-built session, letting the attacker hijack the post-login flow. This can lead to full account takeover, including admin accounts, without ever needing the victim's password.

• Daily Digest · May 20, 2026

  389 DS denial-of-service + Keycloak session hijack