3.7

CVE-2026-0976

Org.keycloak/keycloak-quarkus-server: keycloak: proxy bypass due to improper handling of matrix parameters in url paths

A flaw was found in Keycloak. This improper input validation vulnerability occurs because Keycloak accepts RFC-compliant matrix parameters in URL path segments, while common reverse proxy configurations may ignore or mishandle them. A remote attacker can craft requests to mask path segments, potentially bypassing proxy-level path filtering. This could expose administrative or sensitive endpoints that operators believe are not externally reachable.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerRed Hat
Produkt Red Hat Build of Keycloak
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat JBoss Enterprise Application Platform 8
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat JBoss Enterprise Application Platform 8
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat JBoss Enterprise Application Platform 8
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat JBoss Enterprise Application Platform Expansion Pack
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat JBoss Enterprise Application Platform Expansion Pack
Default Statusaffected
HerstellerRed Hat
Produkt Red Hat JBoss Enterprise Application Platform Expansion Pack
Default Statusaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.01% 0.024
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
secalert@redhat.com 3.7 2.2 1.4
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.