Keycloak Session Fixation Vulnerability in Login Actions Endpoints Allowing Account Takeover

Vulnerability

A session fixation vulnerability exists in Keycloak's login-actions endpoints. An unauthenticated attacker can exploit this issue by pre-creating an authentication session and tricking a victim into clicking a malicious link. The attacker can use the /login-actions/restart endpoint, which lacks proper Cross-Site Request Forgery (CSRF) protection and cookie ownership validation, to reset the authentication flow. This manipulation causes Single Sign-On (SSO) to authenticate the victim automatically when they click the link, enabling the attacker to hijack the required-action form without needing the victim's credentials. Successful exploitation could result in complete account takeover, including access to highly privileged administrative accounts.

Impact

Exploitation of this vulnerability allows for full account takeover, particularly of the master-realm admin account in default Keycloak deployments.

Added: May 19, 2026, 12:19 PM

Updated: May 19, 2026, 12:19 PM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

5.0

exploitability

6.0

remediation

0.0

relevance

8.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

5.0

exploitability

6.0

remediation

0.0

relevance

8.8

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Keycloak Session Fixation Vulnerability in Login Actions Endpoints Allowing Account Takeover

Vulnerability

Impact

Affected Products

Keycloak

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating