CVE-2026-37977
CORS Header Injection in Keycloak UMA Token Endpoint
Publication date: 2026-04-06
Last updated on: 2026-04-24
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | build_of_keycloak | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-37977 is a vulnerability in Keycloak's User-Managed Access (UMA) token endpoint involving Cross-Origin Resource Sharing (CORS) header injection.
The flaw occurs because Keycloak uses the `azp` claim from a client-supplied JSON Web Token (JWT) to set the `Access-Control-Allow-Origin` header before validating the JWT's signature.
An attacker can craft a JWT with a malicious `azp` value that gets reflected in the CORS origin header, even if the JWT grant is later rejected.
This allows remote exploitation without authentication, especially when the target client is misconfigured with `webOrigins: ["*"]`, enabling any origin.
As a result, attackers can bypass origin isolation and read low-sensitivity information from UMA error responses.
How can this vulnerability impact me? :
This vulnerability can allow remote attackers to bypass origin isolation and perform cross-origin reads of UMA error responses.
While the information exposed is considered low-sensitivity, it weakens the security boundaries between origins.
The impact is limited to clients misconfigured with `webOrigins: ["*"]`, which allows any origin to access resources.
Overall, the vulnerability has a low severity score (CVSS 3.7) and does not affect integrity or availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if your Keycloak instance is misconfigured with the setting webOrigins set to ["*"], which allows any origin.
You can inspect the Keycloak configuration files or use administrative commands to verify the webOrigins setting.
Additionally, monitoring HTTP responses from the UMA token endpoint for unusual or attacker-controlled Access-Control-Allow-Origin headers can help identify exploitation attempts.
Specific commands are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves correcting the Keycloak client configuration by avoiding the use of webOrigins set to ["*"].
Restrict the webOrigins setting to specific, trusted origins to prevent arbitrary origins from being accepted.
Ensure that JWT signature validation occurs before any use of claims like azp to set CORS headers.
Apply any patches or updates provided by Keycloak or your Linux distribution that address this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to bypass origin isolation and disclose low-sensitivity information from authorization server error responses due to improper CORS header handling in Keycloak's UMA token endpoint.
However, the information exposed is described as low-sensitivity, and the flaw requires a specific client misconfiguration (webOrigins set to ["*"]).
There is no direct information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.