CVE-2026-0976
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-15

Last updated on: 2026-01-15

Assigner: Red Hat, Inc.

Description
A flaw was found in Keycloak. This improper input validation vulnerability occurs because Keycloak accepts RFC-compliant matrix parameters in URL path segments, while common reverse proxy configurations may ignore or mishandle them. A remote attacker can craft requests to mask path segments, potentially bypassing proxy-level path filtering. This could expose administrative or sensitive endpoints that operators believe are not externally reachable.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-15
Last Modified
2026-01-15
Generated
2026-06-16
AI Q&A
2026-01-15
EPSS Evaluated
2026-06-15
NVD
CVE-2026-0976
EUVD
EUVD-2026-2822
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
unknown_vendor keycloak *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Keycloak involves improper input validation related to RFC-compliant matrix parameters in URL path segments. Keycloak accepts these matrix parameters, but many reverse proxy configurations ignore or mishandle them. An attacker can craft requests with matrix parameters that mask path segments, allowing them to bypass proxy-level path filtering and potentially access administrative or sensitive endpoints that are assumed to be protected. [1]

Impact Analysis

The vulnerability can allow a remote attacker to bypass reverse proxy path filtering controls and expose administrative or sensitive endpoints that operators believe are not externally reachable. Although authentication is still required to access these endpoints, the attacker can craft network-based requests without authentication to bypass proxy restrictions, potentially increasing the risk of unauthorized access to sensitive parts of the Keycloak server. [1]

Detection Guidance

You can detect this vulnerability by crafting and sending HTTP requests with matrix parameters in URL path segments to your Keycloak server, such as requests to paths like "/realms;abc/master/account". Monitoring your reverse proxy logs for such requests or testing whether these specially formed URLs bypass proxy-level path filtering can help identify if your system is vulnerable. Specific commands would involve using tools like curl to send requests with matrix parameters, for example: curl -v https://your-keycloak-server/realms;abc/master/account. Observing whether these requests reach protected endpoints despite proxy rules indicates the vulnerability. [1]

Mitigation Strategies

Immediate mitigation steps include reviewing and updating your reverse proxy configuration to properly handle or reject matrix parameters in URL path segments, ensuring that proxy-level path filtering cannot be bypassed by such crafted requests. Additionally, restrict access to administrative or sensitive endpoints at multiple layers, not relying solely on proxy filtering. Applying any available patches or updates from Keycloak that address this issue is also recommended. [1]

Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-0976. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart