CORS Header Injection Vulnerability Affecting Keycloak by Red Hat
CVE-2026-37977

3.7LOW

Key Information:

Vendor

Red Hat
Status
Red Hat Build Of Keycloak 26.6
Red Hat Build Of Keycloak 26.6.3
Vendor
CVE Published:
6 April 2026

What is CVE-2026-37977?

A CORS header injection vulnerability in Keycloak's User-Managed Access (UMA) token endpoint allows remote attackers to manipulate the Access-Control-Allow-Origin header using a client-supplied JSON Web Token (JWT). This issue arises from the improper validation of the azp claim, potentially exposing low-sensitivity information from error responses of the authorization server. It primarily affects configurations where the target client permits all origins through webOrigins: ["*"], leading to weakened origin isolation.

Affected Version(s)

Red Hat build of Keycloak 26.6 26.6.3-3

Red Hat build of Keycloak 26.6 26.6-6

Red Hat build of Keycloak 26.6 26.6-6

References

https://access.redhat.com/errata/RHSA-2026:25097
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:25098
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2026-37977
vdb-entryx_refsource_REDHAT

CVSS V3.1

Score:
3.7
Severity:
LOW
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.