Skip to main content

Keycloak EUVDEUVD-2026-32212

| CVE-2026-9689 MEDIUM
Improper Validation of Consistency within Input (CWE-1288)
2026-05-27 secalert@redhat.com GHSA-wcvj-vpvw-9rr5
4.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.2 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Red Hat
4.2 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 22:26 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 50 maven packages depend on org.keycloak:keycloak-services (22 direct, 28 indirect)

Ecosystem-wide dependent count for version 26.5.0.

DescriptionCVE.org

A flaw was found in Keycloak, an open-source identity and access management solution. When a client application is configured to accept broad redirect Uniform Resource Identifiers (URIs), a remote attacker can manipulate the authentication process by crafting a special web address. If a user clicks this link, the client application might incorrectly prioritize attacker-controlled information over legitimate data. This vulnerability, known as HTTP parameter pollution, could allow an attacker to bypass security measures or gain unauthorized access to resources.

AnalysisAI

HTTP parameter pollution in Keycloak enables authentication bypass against deployments where OAuth/OIDC client applications are configured with permissive redirect URI patterns. An unauthenticated remote attacker who can trick a user into clicking a crafted authorization URL can inject duplicate HTTP parameters into the OAuth flow, causing the client application to prioritize attacker-supplied values over server-authoritative data - potentially hijacking the authentication process or gaining unauthorized resource access. No public exploit has been identified and EPSS (0.08%, 23rd percentile) signals low real-world exploitation probability; however, the authentication bypass impact is meaningful in identity-sensitive deployments.

Technical ContextAI

Keycloak is a widely-deployed open-source identity and access management (IAM) platform supporting OAuth 2.0 and OpenID Connect (OIDC) flows. The root cause is CWE-1288 (Improper Validation of Consistency within Input), which in this context manifests as HTTP parameter pollution - a technique where duplicate query parameters in a crafted URL are resolved inconsistently by different components in the authentication chain (e.g., the authorization server versus the relying-party client application). When a Keycloak client is registered with overly broad redirect URI patterns (wildcards or prefix-matching rather than exact URIs), an attacker can insert duplicate authorization parameters (such as state, redirect_uri, or code) into the authorization request URL. The downstream client processes these polluted parameters out of intended precedence order, acting on attacker-supplied values instead of those set by the authorization server. No CPE strings were provided in the available data, so exact affected package versions cannot be confirmed from this source alone.

RemediationAI

The primary remediation is to enforce strict, exact-match redirect URI registration for all Keycloak OAuth/OIDC clients - replacing any wildcard, prefix-based, or broadly permissive URI patterns with fully-qualified exact URIs. This directly eliminates the misconfiguration prerequisite required for exploitation; the trade-off is that legitimate applications must have all valid redirect URIs explicitly enumerated, which requires a URI audit across registered clients. For patch availability and exact fixed versions, consult the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-9689 - no specific patched Keycloak version was confirmed in the available input data, so a version upgrade recommendation cannot be made with confidence at this time. Additionally, review the Keycloak admin console for any clients with URI patterns containing wildcards (e.g., '*' or broad domain-level matches) and restrict them immediately as a compensating control while awaiting vendor patch guidance.

CVE-2024-8883 MEDIUM POC
6.1 Sep 19

A misconfiguration flaw was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploita

CVE-2026-3047 HIGH
8.8 Mar 05

Keycloak's SAML identity provider broker fails to enforce client disabled status during IdP-initiated SSO flows, allowin

CVE-2026-9704 HIGH
8.8 May 27

Privilege escalation in Red Hat Build of Keycloak allows low-privileged authenticated users to assume the permissions of

CVE-2026-3009 HIGH
8.1 Mar 05

Keycloak's IdentityBrokerService.performLogin endpoint fails to enforce disabled Identity Provider restrictions, allowin

CVE-2024-1132 HIGH
8.1 Apr 17

A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. Rated high severity (CVSS

CVE-2024-7885 HIGH
7.5 Aug 21

A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across

CVE-2024-10234 HIGH
7.3 Oct 22

A vulnerability was found in Wildfly, where a user may perform Cross-site scripting in the Wildfly deployment system. Ra

CVE-2026-37980 MEDIUM
6.9 Apr 14

Stored XSS in Keycloak's organization selection login page allows authenticated administrators with manage-realm or mana

CVE-2026-9802 MEDIUM
6.8 May 28

Refresh token replay in Keycloak allows a remote attacker who has previously captured a user's refresh token to reuse th

CVE-2025-7784 MEDIUM
6.5 Jul 18

Privilege escalation in Keycloak's Fine-Grained Admin Permissions v2 (FGAPv2) allows administrative users with the manag

CVE-2024-4629 MEDIUM
6.5 Sep 03

A vulnerability was found in Keycloak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no

CVE-2024-7260 MEDIUM
6.1 Sep 09

An open redirect vulnerability was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely e

Vendor StatusVendor

Share

EUVD-2026-32212 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy