CVE-2026-0976
BaseFortify
Publication date: 2026-01-15
Last updated on: 2026-01-15
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | keycloak | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Keycloak involves improper input validation related to RFC-compliant matrix parameters in URL path segments. Keycloak accepts these matrix parameters, but many reverse proxy configurations ignore or mishandle them. An attacker can craft requests with matrix parameters that mask path segments, allowing them to bypass proxy-level path filtering and potentially access administrative or sensitive endpoints that are assumed to be protected. [1]
How can this vulnerability impact me? :
The vulnerability can allow a remote attacker to bypass reverse proxy path filtering controls and expose administrative or sensitive endpoints that operators believe are not externally reachable. Although authentication is still required to access these endpoints, the attacker can craft network-based requests without authentication to bypass proxy restrictions, potentially increasing the risk of unauthorized access to sensitive parts of the Keycloak server. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by crafting and sending HTTP requests with matrix parameters in URL path segments to your Keycloak server, such as requests to paths like "/realms;abc/master/account". Monitoring your reverse proxy logs for such requests or testing whether these specially formed URLs bypass proxy-level path filtering can help identify if your system is vulnerable. Specific commands would involve using tools like curl to send requests with matrix parameters, for example: curl -v https://your-keycloak-server/realms;abc/master/account. Observing whether these requests reach protected endpoints despite proxy rules indicates the vulnerability. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include reviewing and updating your reverse proxy configuration to properly handle or reject matrix parameters in URL path segments, ensuring that proxy-level path filtering cannot be bypassed by such crafted requests. Additionally, restrict access to administrative or sensitive endpoints at multiple layers, not relying solely on proxy filtering. Applying any available patches or updates from Keycloak that address this issue is also recommended. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.