CVE-2026-0976 LOW

CVE-2026-0976: Org.keycloak/keycloak-quarkus-server: keycloak: proxy bypass due to improper handling of matrix parameters in url paths

Vendor Red Hat
Product Red Hat Build of Keycloak
Weakness CWE-20 · Input validation
Published January 15, 2026
Last update January 15, 2026
View on NVD All CVEs

CVSS base score

3.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

A flaw was found in Keycloak. This improper input validation vulnerability occurs because Keycloak accepts RFC-compliant matrix parameters in URL path segments, while common reverse proxy configurations may ignore or mishandle them. A remote attacker can craft requests to mask path segments, potentially bypassing proxy-level path filtering. This could expose administrative or sensitive endpoints that operators believe are not externally reachable.

Key dates

02Disclosure timeline

January 15, 2026 CVE published
January 15, 2026 Record updated