Description
A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications.
Published: 2026-01-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Apply Patch
AI Analysis

Impact

Keycloak’s Authorization header parser accepted non‑standard separators such as tabs and tolerated case variations that diverge from RFC 6750, allowing crafted Bearer tokens to be accepted. This leads to an authentication bypass that can let an attacker obtain user or administrative access without valid credentials.

Affected Systems

The flaw affects Red Hat builds of Keycloak 26.4, including the 26.4.10 update, running on Enterprise Linux 9 platforms.

Risk and Exploitability

With a CVSS score of 5.3 and an EPSS score of less than 1 %, the vulnerability is of moderate severity and considered unlikely to be widely exploited, yet it is present in the public domain. An attacker can remotely send a specially formatted Authorization header directly to the Keycloak endpoint to bypass normal bearer token checks. No privileged state or additional conditions are required beyond network access to the service.

Generated by OpenCVE AI on April 18, 2026 at 07:47 UTC.

Remediation

Vendor Workaround

To mitigate this issue, configure any front-end security controls, such as Web Application Firewalls (WAFs) or reverse proxies, to strictly validate and normalize the `Authorization` header before forwarding requests to Keycloak. This ensures that only standard Bearer token formats are processed, preventing potential bypasses.

OpenCVE Recommended Actions

  • Update Red Hat Keycloak to the patched release addressed by RHSA-2026:3947 or RHSA-2026:3948.
  • Configure any front‑end security controls, such as Web Application Firewalls or reverse proxies, to strictly validate and normalize the Authorization header, allowing only standard Bearer token formats.
  • Conduct security testing to ensure that malformed or non‑standard Authorization headers are rejected and that no legacy logic permits bypassing of the updated header validation.

Generated by OpenCVE AI on April 18, 2026 at 07:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gv94-wp4h-vv8p Keycloak has Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
History

Thu, 05 Mar 2026 20:30:00 +0000

Type Values Removed Values Added
References

Thu, 05 Mar 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.4::el9
References

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 08 Jan 2026 04:00:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications.
Title Keycloak: keycloak authorization header parsing leading to potential security control bypass
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-551
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Redhat Build Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-03-06T03:17:03.958Z

Reserved: 2026-01-08T02:52:15.720Z

Link: CVE-2026-0707

cve-icon Vulnrichment

Updated: 2026-01-08T15:55:04.859Z

cve-icon NVD

Status : Deferred

Published: 2026-01-08T04:15:56.520

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0707

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-07T00:00:00Z

Links: CVE-2026-0707 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:00:05Z

Weaknesses