CVE-2026-7504

Keycloak (Red Hat) · Keycloak

A flaw in Keycloak’s URL validation logic during redirect operations could allow for open redirection or potential security bypasses.

Executive summary

An improper URL validation vulnerability in Keycloak during redirect operations presents a risk of unauthorized redirection or security bypass.

Vulnerability

This vulnerability stems from flaws in the URL validation logic within Keycloak's redirect operations. The issue may allow an attacker to bypass intended security constraints during redirection, potentially facilitating phishing or other malicious activities by redirecting users to unauthorized locations.

Business impact

Exploitation of this vulnerability can be used to facilitate social engineering attacks or bypass security controls that rely on trusted redirect paths. With a CVSS score of 8.1, the risk is elevated, as it can be leveraged to redirect authenticated users to malicious sites, potentially resulting in credential theft or further system compromise.

Remediation

Immediate Action: Apply the latest security updates released by the vendor to address the URL validation flaw.

Proactive Monitoring: Monitor application logs for unexpected or suspicious redirect patterns that deviate from standard authentication flows.

Compensating Controls: Implement strict allow-lists for redirect URLs within the application configuration to mitigate the risk of unauthorized redirection.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The severity of this flaw necessitates prompt remediation. Administrators should ensure that all instances of Keycloak are updated to the latest version to correct the underlying URL validation logic and prevent the exploitation of redirect operations.