Description
A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information within the domain or facilitating further attacks. This vulnerability specifically affects Keycloak clients configured with a wildcard (*) in the "Valid Redirect URIs" field and requires user interaction to be successfully exploited.

The issue stems from a discrepancy in how Keycloak and the underlying Java URI implementation handle the user-info component of a URL. If a malicious redirect URL is constructed using multiple @ characters in the user-info section, Java's URI parser fails to extract the user-info, leaving only the raw authority field. Consequently, Keycloak's validation check fails to detect the malformed user-info, falls back to a wildcard comparison, and incorrectly permits the malicious redirect.
Published: 2026-05-19
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Keycloak’s redirect handling contains a flaw that allows an attacker to craft a malicious redirect URL containing multiple @ characters in the user‑info section. When the redirect URI is validated, Java’s URI parser fails to extract the user‑info, causing Keycloak to rely on a wildcard comparison and incorrectly accept the URL. This results in an open redirect that can lead to phishing, credential theft, or further exploitation of the user’s session. The vulnerability is a classic CWE‑601 defect.

Affected Systems

The flaw affects the Red Hat Build of Keycloak. It specifically impacts clients whose “Valid Redirect URIs” field contains a wildcard (*) entry. No version information is provided, so all deployments using wildcard‑based redirect URIs are potentially vulnerable.

Risk and Exploitability

Keycloak receives a CVSS score of 8.1, indicating high severity. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. Exploitation requires user interaction with a crafted redirect request; however, constructing such a request is straightforward and the widespread use of wildcard redirect URIs makes this a likely target for attackers. The attack vector involves sending a malicious URL to a user and relying on the permissive validation to redirect the user to an arbitrary site.

Generated by OpenCVE AI on May 19, 2026 at 12:50 UTC.

Remediation

Vendor Workaround

To mitigate this vulnerability, Red Hat recommends avoiding the use of wildcard characters in the "Valid Redirect URIs" field for clients within Keycloak. Instead, explicitly list all allowed redirect URIs. Review all client configurations to ensure that wildcards are not used unless absolutely necessary, and if used, ensure that the client application is robust against open redirect vulnerabilities. Changes to client configurations in Keycloak may require a restart or reload of the Keycloak service to take effect, which could impact active user sessions.

OpenCVE Recommended Actions

  • Reconfigure each client to remove any wildcard characters from the "Valid Redirect URIs" field and explicitly list all legitimate redirect URLs.
  • Restart the Keycloak service after applying the configuration changes, which may disrupt active sessions but ensures the new settings take effect.
  • Audit all client configurations to confirm that no wildcard entries remain and document a policy that disallows wildcard redirect URIs in future deployments.

Generated by OpenCVE AI on May 19, 2026 at 12:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 16:45:00 +0000

Type Values Removed Values Added
References

Wed, 20 May 2026 12:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.2::el9
cpe:/a:redhat:build_keycloak:26.4::el9
References

Tue, 19 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 13:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Vendors & Products Redhat build Of Keycloak

Tue, 19 May 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Tue, 19 May 2026 11:30:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information within the domain or facilitating further attacks. This vulnerability specifically affects Keycloak clients configured with a wildcard (*) in the "Valid Redirect URIs" field and requires user interaction to be successfully exploited. The issue stems from a discrepancy in how Keycloak and the underlying Java URI implementation handle the user-info component of a URL. If a malicious redirect URL is constructed using multiple @ characters in the user-info section, Java's URI parser fails to extract the user-info, leaving only the raw authority field. Consequently, Keycloak's validation check fails to detect the malformed user-info, falls back to a wildcard comparison, and incorrectly permits the malicious redirect.
Title Org.keycloak/keycloak-services: open redirect when using wildcard valid redirect uris in keycloak
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-601
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-05-20T15:48:19.026Z

Reserved: 2026-04-30T14:48:04.317Z

Link: CVE-2026-7504

cve-icon Vulnrichment

Updated: 2026-05-19T12:22:27.137Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-05-19T12:16:19.553

Modified: 2026-05-20T17:16:28.723

Link: CVE-2026-7504

cve-icon Redhat

Severity : Important

Publid Date: 2026-05-19T10:52:12Z

Links: CVE-2026-7504 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T13:00:06Z

Weaknesses