CORS Header Injection Vulnerability Affecting Keycloak by Red Hat
CVE-2026-37977

3.7LOW

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Keycloak
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-37977?

A CORS header injection vulnerability in Keycloak's User-Managed Access (UMA) token endpoint allows remote attackers to manipulate the Access-Control-Allow-Origin header using a client-supplied JSON Web Token (JWT). This issue arises from the improper validation of the azp claim, potentially exposing low-sensitivity information from error responses of the authorization server. It primarily affects configurations where the target client permits all origins through webOrigins: ["*"], leading to weakened origin isolation.

References

https://access.redhat.com/security/cve/CVE-2026-37977

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2455324

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

3.7

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-37977 Data

JSON