Keycloak: open redirect via "form_post.jwt" jarm response mode
Description
A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcard in the JARM response mode "form_post.jwt" which could be used to bypass the security patch implemented to address CVE-2023-6134.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Keycloak's JARM form_post.jwt response mode open redirect allows token theft, bypassing CVE-2023-6134 patch.
Vulnerability
Overview CVE-2023-6927 is an open redirect vulnerability in Keycloak's JARM (JWT Authorization Response Mode) implementation, specifically in the form_post.jwt response mode. The flaw occurs when a wildcard is used in the redirect URI, allowing an attacker to redirect the user's browser to an arbitrary external site after authentication [1][2]. This effectively bypasses the security fix applied for CVE-2023-6134.
Exploitation
An attacker can craft a malicious link that leverages a client configured with a wildcard in the redirect URI pattern. When the victim authenticates, Keycloak sends the authorization code or token to the attacker-controlled redirect URI via a JWT in a form post. No authentication is required for the attacker, only the ability to trick a user into clicking the crafted link [1].
Impact
Successful exploitation allows the attacker to steal authorization codes or tokens, leading to account takeover or unauthorized access to protected resources [2].
Mitigation
Red Hat has released patches for Red Hat Single Sign-On 7.6.6 (RHSA-2024:0097) and Red Hat build of Keycloak 22.0.8 (RHSA-2024:0100) which address this vulnerability [3][4]. Users should upgrade to these versions or apply the provided mitigations.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-coreMaven | < 23.0.4 | 23.0.4 |
Affected products
23- Red Hat/Red Hat build of Keycloak 22.0.8v5cpe:/a:redhat:build_keycloak:22
- Red Hat/Red Hat build of Keycloak 22v5cpe:/a:redhat:build_keycloak:22::el9Range: 22-7
- Red Hat/Red Hat Single Sign-On 7v5cpe:/a:redhat:red_hat_single_sign_on:7.6
- Red Hat/Single Sign-On 7.6.6v5cpe:/a:redhat:red_hat_single_sign_on:7.6.6
- Red Hat/Red Hat Single Sign-On 7.6 for RHEL 7v5cpe:/a:redhat:red_hat_single_sign_on:7.6::el7Range: 0:18.0.12-1.redhat_00001.1.el7sso
- Red Hat/Red Hat Single Sign-On 7.6 for RHEL 8v5cpe:/a:redhat:red_hat_single_sign_on:7.6::el8Range: 0:18.0.12-1.redhat_00001.1.el8sso
- Red Hat/Red Hat Single Sign-On 7.6 for RHEL 9v5cpe:/a:redhat:red_hat_single_sign_on:7.6::el9Range: 0:18.0.12-1.redhat_00001.1.el9sso
- Red Hat/RHEL-8 based Middleware Containersv5cpe:/a:redhat:rhosemc:1.0::el8Range: 7.6-41
- osv-coords15 versionspkg:apk/chainguard/keycloakpkg:apk/chainguard/keycloak-bitnami-compatpkg:apk/chainguard/keycloak-bitnami-fipspkg:apk/chainguard/keycloak-compatpkg:apk/chainguard/keycloak-fipspkg:apk/chainguard/keycloak-fips-bitnami-compatpkg:apk/chainguard/keycloak-fips-policy-140-2pkg:apk/chainguard/keycloak-fips-policy-140-3pkg:apk/chainguard/keycloak-iamguarded-compatpkg:apk/chainguard/keycloak-iamguarded-fipspkg:apk/wolfi/keycloakpkg:apk/wolfi/keycloak-bitnami-compatpkg:apk/wolfi/keycloak-compatpkg:apk/wolfi/keycloak-iamguarded-compatpkg:maven/org.keycloak/keycloak-core
< 23.0.4-r0+ 14 more
- (no CPE)range: < 23.0.4-r0
- (no CPE)range: < 23.0.4-r0
- (no CPE)range: < 23.0.4-r0
- (no CPE)range: < 23.0.4-r0
- (no CPE)range: < 23.0.4-r0
- (no CPE)range: < 23.0.4-r0
- (no CPE)range: < 23.0.4-r0
- (no CPE)range: < 23.0.4-r0
- (no CPE)range: < 23.0.4-r0
- (no CPE)range: < 23.0.4-r0
- (no CPE)range: < 23.0.4-r0
- (no CPE)range: < 23.0.4-r0
- (no CPE)range: < 23.0.4-r0
- (no CPE)range: < 23.0.4-r0
- (no CPE)range: < 23.0.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
17- access.redhat.com/errata/RHSA-2024:0094ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2024:0095ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2024:0096ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2024:0097ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2024:0098ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2024:0100ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2024:0101ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2024:0798mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:0799mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:0800mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:0801mitrevendor-advisoryx_refsource_REDHAT
- access.redhat.com/errata/RHSA-2024:0804mitrevendor-advisoryx_refsource_REDHAT
- github.com/advisories/GHSA-9vm7-v8wj-3fqwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-6927ghsaADVISORY
- access.redhat.com/security/cve/CVE-2023-6927ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/keycloak/keycloak/security/advisories/GHSA-9vm7-v8wj-3fqwghsaWEB
News mentions
0No linked articles in our index yet.