Skip to main content

Red Hat Build Of Keycloak EUVD-2026-19201

| CVE-2026-37977 MEDIUM
Origin Validation Error (CWE-346)
2026-04-06 redhat GHSA-5v8v-xvjv-57x7
Code Injection Red Hat Build Of Keycloak Red Hat
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Red Hat
3.7 LOW
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

5
Severity Changed
Jun 10, 2026 - 22:22 NVD
LOW MEDIUM
CVSS changed
Jun 10, 2026 - 22:22 NVD
3.7 (LOW) 5.3 (MEDIUM)
EUVD ID Assigned
Apr 06, 2026 - 09:00 euvd
EUVD-2026-19201
Analysis Generated
Apr 06, 2026 - 09:00 vuln.today
CVE Published
Apr 06, 2026 - 08:38 nvd
LOW 3.7

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 53 maven packages depend on org.keycloak:keycloak-services (25 direct, 28 indirect)

Ecosystem-wide dependent count for version 26.5.7.

DescriptionNVD

A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in Keycloak's User-Managed Access (UMA) token endpoint. This flaw occurs because the azp claim from a client-supplied JSON Web Token (JWT) is used to set the Access-Control-Allow-Origin header before the JWT signature is validated. When a specially crafted JWT with an attacker-controlled azp value is processed, this value is reflected as the CORS origin, even if the grant is later rejected. This can lead to the exposure of low-sensitivity information from authorization server error responses, weakening origin isolation, but only when a target client is misconfigured with webOrigins: ["*"].

AnalysisAI

CORS header injection in Keycloak's User-Managed Access token endpoint allows remote attackers to reflect attacker-controlled origin values before JWT signature validation, potentially exposing low-sensitivity authorization error responses when clients are misconfigured with wildcard origin permissions. The vulnerability requires high attack complexity and affects only clients explicitly configured with webOrigins set to "*", resulting in a low-severity information disclosure with limited real-world exploitability.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment This vulnerability presents low real-world risk despite affecting a security-critical component. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a malicious JWT with an `azp` claim set to an attacker-controlled domain (e.g., attacker.com). The attacker makes a cross-origin request to the Keycloak UMA token endpoint from a web browser with JavaScript access, submitting the crafted JWT. …
Remediation Patch status and exact remediation version numbers are not provided in available data. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

Share

EUVD-2026-19201 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy