HTTP Parameter Pollution Vulnerability in Keycloak Identity Solution
CVE-2026-9689

4.2MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Keycloak
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-9689?

A flaw in Keycloak, an open-source identity and access management solution, allows remote attackers to exploit the authentication process by crafting deceptive web addresses. When client applications are configured to accept broad redirect URIs, attackers can influence the prioritization of information during an authentication attempt. This may lead to unauthorized access to resources, as legitimate data may be overshadowed by attacker-controlled information. Organizations using Keycloak should assess their configuration to mitigate the risk of exploitation through this vulnerability.

References

https://access.redhat.com/security/cve/CVE-2026-9689

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2481845

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 27, 2026

Credit

Red Hat would like to thank Martin Bartoš for reporting this issue.

CVE-2026-9689 Data

JSON