CVE-2026-37977
Modified Modified - Updated After Analysis
CORS Header Injection in Keycloak UMA Token Endpoint

Publication date: 2026-04-06

Last updated on: 2026-06-10

Assigner: Red Hat, Inc.

Description
A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in Keycloak's User-Managed Access (UMA) token endpoint. This flaw occurs because the `azp` claim from a client-supplied JSON Web Token (JWT) is used to set the `Access-Control-Allow-Origin` header before the JWT signature is validated. When a specially crafted JWT with an attacker-controlled `azp` value is processed, this value is reflected as the CORS origin, even if the grant is later rejected. This can lead to the exposure of low-sensitivity information from authorization server error responses, weakening origin isolation, but only when a target client is misconfigured with `webOrigins: ["*"]`.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-06-10
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-37977
EUVD
EUVD-2026-19201
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
redhat build_of_keycloak *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-37977 is a vulnerability in Keycloak's User-Managed Access (UMA) token endpoint involving Cross-Origin Resource Sharing (CORS) header injection.

The flaw occurs because Keycloak uses the `azp` claim from a client-supplied JSON Web Token (JWT) to set the `Access-Control-Allow-Origin` header before validating the JWT's signature.

An attacker can craft a JWT with a malicious `azp` value that gets reflected in the CORS origin header, even if the JWT grant is later rejected.

This allows remote exploitation without authentication, especially when the target client is misconfigured with `webOrigins: ["*"]`, enabling any origin.

As a result, attackers can bypass origin isolation and read low-sensitivity information from UMA error responses.

Impact Analysis

This vulnerability can allow remote attackers to bypass origin isolation and perform cross-origin reads of UMA error responses.

While the information exposed is considered low-sensitivity, it weakens the security boundaries between origins.

The impact is limited to clients misconfigured with `webOrigins: ["*"]`, which allows any origin to access resources.

Overall, the vulnerability has a low severity score (CVSS 3.7) and does not affect integrity or availability.

Detection Guidance

Detection of this vulnerability involves checking if your Keycloak instance is misconfigured with the setting webOrigins set to ["*"], which allows any origin.

You can inspect the Keycloak configuration files or use administrative commands to verify the webOrigins setting.

Additionally, monitoring HTTP responses from the UMA token endpoint for unusual or attacker-controlled Access-Control-Allow-Origin headers can help identify exploitation attempts.

Specific commands are not provided in the available resources.

Mitigation Strategies

Immediate mitigation involves correcting the Keycloak client configuration by avoiding the use of webOrigins set to ["*"].

Restrict the webOrigins setting to specific, trusted origins to prevent arbitrary origins from being accepted.

Ensure that JWT signature validation occurs before any use of claims like azp to set CORS headers.

Apply any patches or updates provided by Keycloak or your Linux distribution that address this vulnerability.

Compliance Impact

The vulnerability allows an attacker to bypass origin isolation and disclose low-sensitivity information from authorization server error responses due to improper CORS header handling in Keycloak's UMA token endpoint.

However, the information exposed is described as low-sensitivity, and the flaw requires a specific client misconfiguration (webOrigins set to ["*"]).

There is no direct information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-37977. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart