Description
A flaw was found in Keycloak. This improper input validation vulnerability occurs because Keycloak accepts RFC-compliant matrix parameters in URL path segments, while common reverse proxy configurations may ignore or mishandle them. A remote attacker can craft requests to mask path segments, potentially bypassing proxy-level path filtering. This could expose administrative or sensitive endpoints that operators believe are not externally reachable.
Published: 2026-01-15
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Remote Path Bypass
Action: Apply Controls
AI Analysis

Impact

Keycloak accepts RFC-compliant matrix parameters in URL path segments. When a reverse proxy does not preserve or properly handle these parameters, an attacker can craft requests that hide privileged path segments, thereby bypassing proxy-level path filtering. The vulnerability is an input validation flaw (CWE‑20) that allows a remote attacker to send a single HTTP request containing matrix parameters to a Keycloak instance and potentially reach endpoints that operators assume are not externally reachable.

Affected Systems

Red Hat Build of Keycloak, Red Hat JBoss Enterprise Application Platform 8, and Red Hat JBoss Enterprise Application Platform Expansion Pack are affected. No specific version ranges are listed, so all installed instances of these products should be evaluated for exposure to this issue.

Risk and Exploitability

The CVSS base score is 3.7, indicating low severity. Exploitation requires only remote access to transmit a crafted request. The EPSS score is below 1 %, suggesting that exploitation attempts are rare. The vulnerability is not listed in the CISA KEV catalog. Because the attack can be performed over the public network, operators should address the weakness if their protective controls for administrative endpoints are insufficient.

Generated by OpenCVE AI on April 18, 2026 at 19:12 UTC.

Remediation

Vendor Workaround

To mitigate this issue, ensure that all administrative and sensitive endpoints within Keycloak are adequately protected by robust authentication and authorization policies, independent of any reverse proxy path filtering. Operators should review Keycloak's internal access controls to confirm that access to these endpoints is restricted to authorized users and roles.

OpenCVE Recommended Actions

  • Ensure that all administrative and sensitive endpoints within Keycloak are protected by robust authentication and authorization policies, independent of any reverse proxy path filtering.
  • Review Keycloak’s internal access controls to confirm that access to these endpoints is restricted to authorized users and roles.
  • Configure the reverse proxy or Keycloak deployment to strip or reject matrix parameters in URL path segments, disabling the bypass capability.

Generated by OpenCVE AI on April 18, 2026 at 19:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v897-pv23-r8cw Keycloak has an improper input validation vulnerability
History

Fri, 16 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 15 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 15 Jan 2026 12:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. This improper input validation vulnerability occurs because Keycloak accepts RFC-compliant matrix parameters in URL path segments, while common reverse proxy configurations may ignore or mishandle them. A remote attacker can craft requests to mask path segments, potentially bypassing proxy-level path filtering. This could expose administrative or sensitive endpoints that operators believe are not externally reachable.
Title Org.keycloak/keycloak-quarkus-server: keycloak: proxy bypass due to improper handling of matrix parameters in url paths
First Time appeared Redhat
Redhat build Keycloak
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Weaknesses CWE-20
CPEs cpe:/a:redhat:build_keycloak:
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jbosseapxp
Vendors & Products Redhat
Redhat build Keycloak
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Redhat Build Keycloak Jboss Enterprise Application Platform Jbosseapxp
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-01-15T14:45:41.540Z

Reserved: 2026-01-15T06:43:41.332Z

Link: CVE-2026-0976

cve-icon Vulnrichment

Updated: 2026-01-15T14:45:37.752Z

cve-icon NVD

Status : Deferred

Published: 2026-01-15T13:16:04.910

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0976

cve-icon Redhat

Severity : Low

Publid Date: 2026-01-15T00:00:00Z

Links: CVE-2026-0976 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T19:15:10Z

Weaknesses