CVE-2026-0707
Authorization Header Parsing Flaw in Keycloak Risks Authentication Bypass
Publication date: 2026-01-08
Last updated on: 2026-03-05
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| keycloak | keycloak | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-551 | If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Keycloak involves its Authorization header parser being overly permissive with the Bearer authentication scheme. It accepts non-standard characters such as tabs and tolerates case variations that deviate from the RFC 6750 standard. This leniency causes inconsistencies between Keycloak's backend authentication and front-end security controls like Web Application Firewalls and proxies, potentially allowing attackers to bypass security controls. [1]
How can this vulnerability impact me? :
The vulnerability can allow attackers to exploit discrepancies in how Keycloak processes Authorization headers compared to front-end security controls. This may lead to bypassing security controls and unauthorized access to protected resources, increasing the risk of security breaches in systems using Keycloak for authentication. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring and analyzing Authorization headers in HTTP requests to your Keycloak server for non-standard Bearer token formats. Specifically, look for Authorization headers that contain tabs, multiple spaces, mixed whitespace characters, or case variations in the 'Bearer' scheme. You can use network packet capture tools like tcpdump or Wireshark to capture traffic, and then use command-line tools such as grep or awk to filter Authorization headers with irregular formatting. For example, using tcpdump: tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'Authorization: Bearer' and then inspecting for tabs or unusual whitespace characters. Alternatively, you can use scripting languages like Python or bash to parse logs or captured traffic for these anomalies. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating Keycloak to a version where this vulnerability is fixed, if available. In the meantime, you can implement stricter validation of Authorization headers at the front-end security controls such as Web Application Firewalls (WAFs) or proxies to reject Authorization headers with non-standard formatting, such as tabs or case variations in the Bearer scheme. This helps prevent attackers from exploiting the discrepancy between Keycloak's permissive parser and front-end controls. Additionally, monitor and audit authentication logs for suspicious Authorization header formats to detect potential exploitation attempts. [1]