Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Lifecycle Timeline
1Blast Radius
ecosystem impact- 50 maven packages depend on org.keycloak:keycloak-services (22 direct, 28 indirect)
Ecosystem-wide dependent count for version 26.5.0.
DescriptionCVE.org
A flaw was found in Keycloak, an open-source identity and access management solution. When a client application is configured to accept broad redirect Uniform Resource Identifiers (URIs), a remote attacker can manipulate the authentication process by crafting a special web address. If a user clicks this link, the client application might incorrectly prioritize attacker-controlled information over legitimate data. This vulnerability, known as HTTP parameter pollution, could allow an attacker to bypass security measures or gain unauthorized access to resources.
AnalysisAI
HTTP parameter pollution in Keycloak enables authentication bypass against deployments where OAuth/OIDC client applications are configured with permissive redirect URI patterns. An unauthenticated remote attacker who can trick a user into clicking a crafted authorization URL can inject duplicate HTTP parameters into the OAuth flow, causing the client application to prioritize attacker-supplied values over server-authoritative data - potentially hijacking the authentication process or gaining unauthorized resource access. No public exploit has been identified and EPSS (0.08%, 23rd percentile) signals low real-world exploitation probability; however, the authentication bypass impact is meaningful in identity-sensitive deployments.
Technical ContextAI
Keycloak is a widely-deployed open-source identity and access management (IAM) platform supporting OAuth 2.0 and OpenID Connect (OIDC) flows. The root cause is CWE-1288 (Improper Validation of Consistency within Input), which in this context manifests as HTTP parameter pollution - a technique where duplicate query parameters in a crafted URL are resolved inconsistently by different components in the authentication chain (e.g., the authorization server versus the relying-party client application). When a Keycloak client is registered with overly broad redirect URI patterns (wildcards or prefix-matching rather than exact URIs), an attacker can insert duplicate authorization parameters (such as state, redirect_uri, or code) into the authorization request URL. The downstream client processes these polluted parameters out of intended precedence order, acting on attacker-supplied values instead of those set by the authorization server. No CPE strings were provided in the available data, so exact affected package versions cannot be confirmed from this source alone.
RemediationAI
The primary remediation is to enforce strict, exact-match redirect URI registration for all Keycloak OAuth/OIDC clients - replacing any wildcard, prefix-based, or broadly permissive URI patterns with fully-qualified exact URIs. This directly eliminates the misconfiguration prerequisite required for exploitation; the trade-off is that legitimate applications must have all valid redirect URIs explicitly enumerated, which requires a URI audit across registered clients. For patch availability and exact fixed versions, consult the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-9689 - no specific patched Keycloak version was confirmed in the available input data, so a version upgrade recommendation cannot be made with confidence at this time. Additionally, review the Keycloak admin console for any clients with URI patterns containing wildcards (e.g., '*' or broad domain-level matches) and restrict them immediately as a compensating control while awaiting vendor patch guidance.
More in Build Of Keycloak
View allA misconfiguration flaw was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploita
Keycloak's SAML identity provider broker fails to enforce client disabled status during IdP-initiated SSO flows, allowin
Privilege escalation in Red Hat Build of Keycloak allows low-privileged authenticated users to assume the permissions of
Keycloak's IdentityBrokerService.performLogin endpoint fails to enforce disabled Identity Provider restrictions, allowin
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. Rated high severity (CVSS
A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across
A vulnerability was found in Wildfly, where a user may perform Cross-site scripting in the Wildfly deployment system. Ra
Stored XSS in Keycloak's organization selection login page allows authenticated administrators with manage-realm or mana
Refresh token replay in Keycloak allows a remote attacker who has previously captured a user's refresh token to reuse th
Privilege escalation in Keycloak's Fine-Grained Admin Permissions v2 (FGAPv2) allows administrative users with the manag
A vulnerability was found in Keycloak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no
An open redirect vulnerability was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely e
Same technique Authentication Bypass
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32212
GHSA-wcvj-vpvw-9rr5