CVE-2026-9689
HTTP Parameter Pollution in Keycloak Authentication
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jboss | keycloak | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1288 | The product receives a complex input with multiple elements or fields that must be consistent with each other, but it does not validate or incorrectly validates that the input is actually consistent. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-9689 is a security vulnerability in Keycloak, an open-source identity and access management solution. The flaw involves HTTP Parameter Pollution in the OpenID Connect (OIDC) redirect URI handling.
When a client application is configured with a broad or wildcard redirect URI (for example, http://localhost:8080/*), Keycloak's method for adding response parameters to the redirect URL does not check for duplicates. This allows an attacker to craft a malicious authorization URL that includes duplicate parameters.
If a user clicks on this specially crafted link, and the client application uses a 'first-wins' approach to parsing query parameters, the application might trust attacker-controlled values instead of legitimate ones. This manipulation can lead to bypassing security measures or gaining unauthorized access.
How can this vulnerability impact me? :
This vulnerability can allow a remote attacker to manipulate the authentication process by injecting attacker-controlled parameters into the redirect URI.
If exploited, it may enable the attacker to bypass security controls or gain unauthorized access to protected resources within the client application.
Successful exploitation requires that the client application has a wildcard redirect URI configured and that a user interacts with a maliciously crafted authorization URL.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by analyzing the redirect URIs used by Keycloak clients to identify if any are configured with wildcard patterns (e.g., http://localhost:8080/*). Additionally, monitoring and inspecting authorization URLs for duplicated query parameters such as iss, code, state, and session_state can help detect HTTP Parameter Pollution.
To detect exploitation attempts on your network, you can capture and inspect HTTP requests to the Keycloak authorization endpoint for suspicious URLs containing duplicated parameters.
Example commands to assist detection might include:
- Using curl to fetch and inspect redirect URIs or authorization URLs:
- curl -v 'https://<keycloak-server>/auth/realms/<realm>/protocol/openid-connect/auth?client_id=<client>&redirect_uri=<redirect_uri>&response_type=code&scope=openid'
- Using network traffic capture tools like tcpdump or Wireshark to filter HTTP requests to Keycloak endpoints and analyze query parameters for duplicates.
- Example tcpdump command to capture HTTP traffic on port 8080:
- tcpdump -i any -A 'tcp port 8080 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'GET /auth/realms/'
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include reviewing and restricting client redirect URIs to avoid using wildcard patterns. Instead, specify exact redirect URIs to prevent attackers from exploiting HTTP Parameter Pollution.
Additionally, update Keycloak to a version where this issue is addressed if such a fix is available, or apply any recommended patches from the vendor.
As a temporary workaround, clients should implement strict validation and parsing of redirect URIs and query parameters, ensuring that duplicate parameters are handled securely, preferably by rejecting requests with duplicated parameters.