CVE-2026-7504: Keycloak Auth Bypass Vulnerability

CVE-2026-7504 Overview

CVE-2026-7504 is an open redirect vulnerability in Keycloak's URL validation logic during redirect operations. Attackers can craft a malicious request that bypasses validation and redirects authenticated users to attacker-controlled URLs. The flaw affects Keycloak clients configured with a wildcard (*) in the Valid Redirect URIs field and requires user interaction to exploit. Successful exploitation can expose sensitive information within the domain or facilitate phishing and follow-on attacks against authenticated sessions. The weakness is classified under CWE-601: URL Redirection to Untrusted Site.

Critical Impact

Attackers can redirect users from a trusted Keycloak identity provider to malicious destinations, enabling credential theft, token leakage, and session hijacking against single sign-on workflows.

Affected Products

• Red Hat build of Keycloak (see referenced Red Hat Security Advisories)
• Keycloak clients configured with a wildcard (*) in Valid Redirect URIs
• Applications relying on Keycloak for OAuth 2.0 / OpenID Connect redirect validation

Discovery Timeline

• 2026-05-19 - CVE-2026-7504 published to NVD
• 2026-05-20 - Last updated in NVD database

Technical Details for CVE-2026-7504

Vulnerability Analysis

The vulnerability stems from a parsing discrepancy between Keycloak's URL validation logic and the underlying Java URI implementation. When a redirect URL contains multiple @ characters in the user-info component, Java's URI parser fails to extract the user-info segment correctly. The parser leaves only the raw authority field, which Keycloak then evaluates with its wildcard comparison logic. Because the validation routine cannot detect the malformed user-info, it falls back to permissive matching and approves the malicious destination.

This is a classic differential parsing flaw. Two components in the same trust chain interpret the same input differently, and the security decision is made against the more permissive interpretation. The result is an open redirect that bypasses the intended allowlist enforced by Valid Redirect URIs.

Root Cause

The root cause is inconsistent handling of the user-info component of a URL between Keycloak's validator and java.net.URI. Crafted inputs with multiple @ characters trigger this divergence. Combined with a wildcard configuration in Valid Redirect URIs, the validator approves URLs whose effective authority points to an attacker domain.

Attack Vector

An attacker constructs a phishing link pointing to a legitimate Keycloak authorization endpoint with a malicious redirect_uri parameter. The redirect URI uses multiple @ characters in the user-info portion so that Keycloak interprets the host as a permitted value while Java's parser, and ultimately the browser, resolves the request to the attacker's domain. The victim authenticates against the trusted Keycloak instance, and Keycloak then redirects the browser, along with any authorization code or token fragment, to the attacker.

No verified public proof-of-concept code is available. Refer to the Red Hat CVE Analysis for CVE-2026-7504 and Red Hat Bug Report #2464128 for vendor technical details.

Detection Methods for CVE-2026-7504

Indicators of Compromise

• Authorization requests to Keycloak with redirect_uri values containing multiple @ characters in the user-info component.
• Outbound HTTP 302 responses from Keycloak directing clients to domains outside the organization's known application inventory.
• Authentication events immediately followed by token or authorization code delivery to unfamiliar external hosts.

Detection Strategies

• Inspect Keycloak access logs and reverse proxy logs for redirect_uri query parameters matching the pattern .*@.*@.* or otherwise containing more than one @ character.
• Audit Keycloak client configurations for any client with * in Valid Redirect URIs, which is a prerequisite for exploitation.
• Correlate OAuth 2.0 / OIDC flows with downstream HTTP referrer data to flag redirects landing on domains not present in the application allowlist.

Monitoring Recommendations

• Forward Keycloak event logs and HTTP access logs to a centralized log platform and alert on anomalous redirect_uri values.
• Monitor for spikes in authorization requests that include encoded @ characters (%40) in the redirect parameter.
• Track user-agent and geolocation patterns associated with successful logins followed by external redirects to detect targeted phishing campaigns.

How to Mitigate CVE-2026-7504

Immediate Actions Required

• Replace wildcard (*) entries in Valid Redirect URIs with explicit, fully qualified URLs for every Keycloak client.
• Apply the fixed Keycloak packages provided in the Red Hat security advisories referenced below.
• Invalidate active sessions and rotate any client secrets or signing keys if exploitation is suspected.

Patch Information

Red Hat has released patched builds of Keycloak. Apply the updates documented in RHSA-2026:19594, RHSA-2026:19595, RHSA-2026:19596, and RHSA-2026:19597. Confirm fixed versions against the Red Hat CVE Analysis for CVE-2026-7504 before redeploying.

Workarounds

• Remove wildcard redirect URIs and enforce exact-match URLs in every client configuration as an immediate hardening step.
• Deploy a reverse proxy or web application firewall rule to reject redirect_uri parameters containing more than one @ character or encoded equivalents.
• Require user re-authentication for sensitive operations to limit the value of any redirected session artifacts.

# Configuration example: replace wildcard redirect URIs with exact matches using kcadm
kcadm.sh update clients/<CLIENT_UUID> \
  -r <REALM> \
  -s 'redirectUris=["https://app.example.com/callback","https://app.example.com/silent-renew"]'