CVE-2026-7504— Org.keycloak/keycloak-services: open redirect when using wildcard valid redirect uris in keycloak
Possible ATT&CK Techniques 2AI
T1566.002 · Spearphishing Link T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 8
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Red Hat build of Keycloak 26.2 | 26.2.16-1< * | unaffected |
26.2-21< * | unaffected | ||
26.2-21< * | unaffected | ||
| Red Hat | Red Hat build of Keycloak 26.2.16 | any | unaffected |
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4.12-1< * | unaffected |
26.4-17< * | unaffected | ||
26.4-17< * | unaffected | ||
| Red Hat | Red Hat build of Keycloak 26.4.12 | any | unaffected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-7504
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Org.keycloak/keycloak-services: open redirect when using wildcard valid redirect uris in keycloak
Source: NVD (National Vulnerability Database)
Vulnerability Description
A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information within the domain or facilitating further attacks. This vulnerability specifically affects Keycloak clients configured with a wildcard (*) in the "Valid Redirect URIs" field and requires user interaction to be successfully exploited. The issue stems from a discrepancy in how Keycloak and the underlying Java URI implementation handle the user-info component of a URL. If a malicious redirect URL is constructed using multiple @ characters in the user-info section, Java's URI parser fails to extract the user-info, leaving only the raw authority field. Consequently, Keycloak's validation check fails to detect the malformed user-info, falls back to a wildcard comparison, and incorrectly permits the malicious redirect.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
指向未可信站点的URL重定向(开放重定向)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Keycloak 输入验证错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Keycloak是Keycloak开源的一种开源身份和访问管理解决方案。 Keycloak存在输入验证错误漏洞,该漏洞源于URL验证逻辑在重定向操作中存在差异,可能导致攻击者绕过验证将用户重定向到未授权URL,造成敏感信息泄露。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Red Hat | Red Hat build of Keycloak 26.2 | 26.2.16-1 ~ * | cpe:/a:redhat:build_keycloak:26.2::el9 | |
| Red Hat | Red Hat build of Keycloak 26.2 | 26.2-21 ~ * | cpe:/a:redhat:build_keycloak:26.2::el9 | |
| Red Hat | Red Hat build of Keycloak 26.2 | 26.2-21 ~ * | cpe:/a:redhat:build_keycloak:26.2::el9 | |
| Red Hat | Red Hat build of Keycloak 26.2.16 | - | cpe:/a:redhat:build_keycloak:26.2::el9 | |
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4.12-1 ~ * | cpe:/a:redhat:build_keycloak:26.4::el9 | |
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4-17 ~ * | cpe:/a:redhat:build_keycloak:26.4::el9 | |
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4-17 ~ * | cpe:/a:redhat:build_keycloak:26.4::el9 | |
| Red Hat | Red Hat build of Keycloak 26.4.12 | - | cpe:/a:redhat:build_keycloak:26.4::el9 |
II. Public POCs for CVE-2026-7504
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-7504
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-7504 (6)
- 🔗 RHSA-2026:19596 - Security Advisory - Red Hat Customer Portal Read full article vendor-advisoryx_refsource_REDHAT
- 🔗 RHSA-2026:19597 - Security Advisory - Red Hat Customer Portal Read full article vendor-advisoryx_refsource_REDHAT
Same Patch Batch · Red Hat · 2026-05-19 · 11 CVEs total
| CVE-2026-7507 | 7.5 HIGH | Org.keycloak/keycloak-services: session fixation in oidc login flow that can lead to accou |
| CVE-2026-7307 | 7.5 HIGH | Keycloak: keycloak: denial of service via specially crafted saml input |
| CVE-2026-7571 | 7.1 HIGH | Keycloak: keycloak: access token disclosure and implicit flow bypass via forged client dat |
| CVE-2026-37982 | 6.8 MEDIUM | Keycloak: org.keycloak.authentication: keycloak: unauthorized account takeover via webauth |
| CVE-2026-4630 | 6.8 MEDIUM | Keycloak: keycloak: unauthorized resource access and data modification via insecure direct |
| CVE-2026-37979 | 6.5 MEDIUM | Keycloak: keycloak: information disclosure via oidc token introspection endpoint audience |
| CVE-2026-8922 | 5.4 MEDIUM | Org.keycloak/keycloak-services: keycloak: org.keycloak.protocol.oidc: security flaw in org |
| CVE-2026-37978 | 4.9 MEDIUM | Keycloak: org.keycloak.services: keycloak: information disclosure via evaluate-scopes admi |
| CVE-2026-37981 | 4.3 MEDIUM | Keycloak: org.keycloak.authorization: keycloak: information disclosure via broken access c |
| CVE-2026-8830 | 4.3 MEDIUM | Keycloak: org.keycloak/keycloak-services: keycloak: policy bypass during webauthn credenti |
IV. Related Vulnerabilities
Same product: Red Hat build of Keycloak 26.2
- CVE-2026-7507
Org.keycloak/keycloak-services: session fixation in oidc log - CVE-2026-7307
Keycloak: keycloak: denial of service via specially crafted - CVE-2026-4636
Keycloak: keycloak: uma policy bypass allows authenticated u - CVE-2026-4282
Keycloak: keycloak: privilege escalation via forged authoriz - CVE-2026-4325
Keycloak: keycloak: replay of action tokens via improper han
Same vendor: Red Hat
- CVE-2026-44604
Rpm: command injection in rpmuncompress dountar() via unesca - CVE-2026-9803
Keycloak: keycloak: denial of service via malformed authoriz - CVE-2026-9802
Keycloak: keycloak: unauthorized account access via replayed - CVE-2026-9801
Keycloak: keycloak: denial of service via malformed ldap pas - CVE-2026-9798
Keycloak: keycloak: brute-force protection bypass in ciba fl
Same weakness: CWE-601
- CVE-2026-44681
Authlib: Open Redirect in Authlib OIDC Implicit/Hybrid Autho - CVE-2026-45335
WeGIA: Middleware whitelist bypass → open redirect via Inter - CVE-2026-49059
WordPress Facebook for WooCommerce plugin <= 3.7.0 - Open Re - CVE-2026-44833
Snipe-IT: Open redirect vulnerability - CVE-2026-48589
Apache Shiro: Jakarta EE open redirect via untrusted Referer
V. Comments for CVE-2026-7504
No comments yet