URL Validation Flaw in Keycloak Affected by Malicious Redirects
CVE-2026-7504

8.1HIGH

Key Information:

Vendor

Red Hat
Status
Red Hat Build Of Keycloak 26.2
Red Hat Build Of Keycloak 26.2.16
Red Hat Build Of Keycloak 26.4
Red Hat Build Of Keycloak 26.4.12
Vendor
CVE Published:
19 May 2026

What is CVE-2026-7504?

A flaw in Keycloak's URL validation logic during redirect operations allows attackers to construct malicious URLs, leading to potential exposure of sensitive information. This vulnerability is present in Keycloak clients with wildcard configurations in the 'Valid Redirect URIs' field. If an attacker crafts a redirect URL with multiple '@' characters, the Java URI parser mishandles the user-info component, bypassing Keycloak's validation checks and permitting unsafe redirects. This requires user interaction, posing risks for users unwittingly redirected during the process.

Affected Version(s)

Red Hat build of Keycloak 26.2 26.2.16-1

Red Hat build of Keycloak 26.2 26.2-21

Red Hat build of Keycloak 26.2 26.2-21

References

https://access.redhat.com/errata/RHSA-2026:19594
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:19595
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:19596
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Red Hat would like to thank Duarte Antunes (Intapp) and João Mendes (Intapp) for reporting this issue.
.