Skip to main content

Keycloak. The Keycloak Authorization CVE-2026-0707

MEDIUM
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization (CWE-551)
2026-01-08 secalert@redhat.com GHSA-gv94-wp4h-vv8p
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Red Hat
5.3 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Patch released
Apr 09, 2026 - 14:30 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 08, 2026 - 04:15 nvd
MEDIUM 5.3

DescriptionCVE.org

A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications.

AnalysisAI

Keycloak's Authorization header parser improperly tolerates non-RFC 6750 compliant formatting, including tabs and case variations in Bearer token authentication. This lax validation could enable attackers to bypass authentication mechanisms or manipulate token validation logic in applications relying on strict Bearer token parsing. No patch is currently available for this medium-severity vulnerability.

Technical ContextAI

A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications.

Affected ProductsAI

Keycloak

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Vendor StatusVendor

Share

CVE-2026-0707 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy