Description
A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in Keycloak's User-Managed Access (UMA) token endpoint. This flaw occurs because the `azp` claim from a client-supplied JSON Web Token (JWT) is used to set the `Access-Control-Allow-Origin` header before the JWT signature is validated. When a specially crafted JWT with an attacker-controlled `azp` value is processed, this value is reflected as the CORS origin, even if the grant is later rejected. This can lead to the exposure of low-sensitivity information from authorization server error responses, weakening origin isolation, but only when a target client is misconfigured with `webOrigins: ["*"]`.
Published: 2026-04-06
Score: 3.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure via CORS header injection
Action: Apply Patch
AI Analysis

Impact

A flaw in the User-Managed Access token endpoint of Keycloak allows an attacker to craft a JSON Web Token with a malicious azp claim that is used to set the Access‑Control‑Allow‑Origin header before the token is verified. The header is reflected in the response even if the grant is later rejected, potentially revealing low‑sensitivity error information. The underlying weakness is insufficient validation of user input before header generation.

Affected Systems

The vulnerability affects Red Hat Build of Keycloak. No specific version range is listed in the available data, so all installations that have not yet applied a vendor fix are potentially exposed.

Risk and Exploitability

With a CVSS score of 3.7, the vulnerability presents a moderate severity risk. The EPSS score is not available and the issue is not listed in CISA’s KEV catalog, indicating no known widespread exploitation to date. The likely attack vector is remote, requiring the attacker to send a specially crafted JWT to the UMA endpoint of a misconfigured client that permits all web origins. Successful exploitation can compromise origin isolation and disclose error responses, but does not grant arbitrary code execution.

Generated by OpenCVE AI on April 6, 2026 at 11:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Keycloak to the latest version that includes a patch for the CORS header injection flaw.
  • Reconfigure affected clients to use specific webOrigins rather than '*', limiting header reflection to trusted origins.
  • Monitor application logs for unexpected CORS headers or error responses that may indicate an attempted exploit.

Generated by OpenCVE AI on April 6, 2026 at 11:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5v8v-xvjv-57x7 Keycloak vulnerable to information disclosure via CORS header injection due to unvalidated JWT azp claim
History

Fri, 24 Apr 2026 15:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:-:*:*:*

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Vendors & Products Redhat build Of Keycloak

Mon, 06 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

threat_severity

Low

Mon, 06 Apr 2026 09:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in Keycloak's User-Managed Access (UMA) token endpoint. This flaw occurs because the `azp` claim from a client-supplied JSON Web Token (JWT) is used to set the `Access-Control-Allow-Origin` header before the JWT signature is validated. When a specially crafted JWT with an attacker-controlled `azp` value is processed, this value is reflected as the CORS origin, even if the grant is later rejected. This can lead to the exposure of low-sensitivity information from authorization server error responses, weakening origin isolation, but only when a target client is misconfigured with `webOrigins: ["*"]`.
Title Keycloak: org.keycloak.protocol.oidc.grants.ciba: keycloak: information disclosure via cors header injection due to unvalidated jwt azp claim
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-346
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-24T15:44:23.520Z

Reserved: 2026-04-06T07:48:39.721Z

Link: CVE-2026-37977

cve-icon Vulnrichment

Updated: 2026-04-06T11:57:12.995Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-06T09:16:17.850

Modified: 2026-04-24T15:39:21.883

Link: CVE-2026-37977

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-06T08:34:01Z

Links: CVE-2026-37977 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-06T21:33:05Z

Weaknesses