CVE-2026-9689
Description
A flaw was found in Keycloak, an open-source identity and access management solution. When a client application is configured to accept broad redirect Uniform Resource Identifiers (URIs), a remote attacker can manipulate the authentication process by crafting a special web address. If a user clicks this link, the client application might incorrectly prioritize attacker-controlled information over legitimate data. This vulnerability, known as HTTP parameter pollution, could allow an attacker to bypass security measures or gain unauthorized access to resources.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Description keycloak: org.keycloak.protocol.oidc: HTTP Parameter Pollution in OIDC redirect URI allows response parameter duplication - #GHI-604 Red Hat statement This Moderate severity flaw in Keycloak arises from HTTP parameter pollution when a client is configured with a wildcard redirect URI. An attacker could craft a malicious authorization URL that, if clicked by a user, may lead to theβ¦
Description
keycloak: org.keycloak.protocol.oidc: HTTP Parameter Pollution in OIDC redirect URI allows response parameter duplication - #GHI-604
Red Hat statement
This Moderate severity flaw in Keycloak arises from HTTP parameter pollution when a client is configured with a wildcard redirect URI. An attacker could craft a malicious authorization URL that, if clicked by a user, may lead to the client application incorrectly processing attacker-controlled OIDC response parameters. Exploitation is contingent on the client application employing a 'first-wins' strategy for duplicate query parameters, which is not a universal behavior.
CVSS v3: 4.2 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N)
Package state
| Product | Package | State |
|---|---|---|
| Red Hat Build of Keycloak | rhbk/keycloak-rhel9 | Fix deferred |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| redhat | build_of_keycloak | - | |
References
CWEs
CWE-1288
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.