CVE-2026-7504
Open Redirect in Keycloak via Malformed URL
Publication date: 2026-05-19
Last updated on: 2026-05-20
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | keycloak | to 3.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a flaw in Keycloak's URL validation logic during redirect operations. An attacker can craft a malicious request that bypasses the validation process to redirect users to unauthorized URLs.
The root cause is a discrepancy between how Keycloak and the Java URI implementation handle the user-info component of a URL. Specifically, if a malicious redirect URL uses multiple '@' characters in the user-info section, Java's URI parser fails to extract the user-info properly, leaving only the raw authority field.
Because of this failure, Keycloak's validation check does not detect the malformed user-info and falls back to a wildcard comparison. This fallback incorrectly permits the malicious redirect.
This vulnerability affects Keycloak clients configured with a wildcard (*) in the "Valid Redirect URIs" field and requires user interaction to be exploited.
How can this vulnerability impact me? :
This vulnerability can lead to users being redirected to unauthorized URLs controlled by an attacker.
Such redirects can potentially expose sensitive information within the domain or facilitate further attacks, such as phishing or session hijacking.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid configuring Keycloak clients with a wildcard (*) in the "Valid Redirect URIs" field, as this allows malicious redirect URLs to bypass validation.
Ensure that the "Valid Redirect URIs" are explicitly defined and do not include wildcards that could be exploited.
Additionally, monitor for updates or patches from Keycloak or your vendor addressing this issue and apply them promptly.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability in Keycloak's URL validation logic can lead to unauthorized redirects, potentially exposing sensitive information within the domain or enabling further attacks.
Such exposure or unauthorized access to sensitive data could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive information.
By allowing attackers to bypass redirect validation, the flaw increases the risk of data leakage or phishing attacks, which are critical concerns under these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for malicious redirect URLs that exploit the flaw in Keycloak's URL validation logic, specifically those containing multiple '@' characters in the user-info section of the URL.
To detect potential exploitation attempts on your system or network, you can search Keycloak logs or web server access logs for redirect requests containing multiple '@' characters in the URL user-info part.
- Use grep or similar tools to search logs for suspicious redirect URLs, for example:
- grep -E 'https?://[^/]*@[^@]*@' /path/to/keycloak/logs/access.log
- This command looks for URLs with multiple '@' characters which are indicative of the malformed user-info component exploited by this vulnerability.
Additionally, monitoring for unusual redirect patterns or unexpected external redirect destinations in Keycloak client configurations that use wildcard (*) in the "Valid Redirect URIs" field can help identify potential exploitation.