关键信息 漏洞编号: Bug 2429869 (CVE-2026-0976) 漏洞描述: Improper input validation vulnerability in Keycloak related to the handling of matrix parameters in URL paths. CVSS: CVE-2026-0976 组件: vulnerability 版本: unspecified 受影响的操作系统: Linux 优先级: low 严重性: low 报告时间: 2026-01-15 07:10 UTC 修改时间: 2026-01-15 11:21 UTC 漏洞详情 Improper input validation vulnerability in Keycloak related to the handling of matrix parameters in URL paths. The issue occurs because Keycloak, via its JAX-RS routing layer, accepts RFC-compliant matrix parameters (e.g., ) in path segments, while common reverse proxy configurations may ignore or mishandle them when enforcing access restrictions. A remote attacker can craft requests such as to mask path segments and bypass proxy-level path filtering. Although authentication is still required, this may expose administrative or sensitive endpoints that operators believe are not externally reachable. Exploitation is network-based, requires no authentication, and depends on the reverse proxy configuration in front of Keycloak.