VYPR
← All advisories
Moderate severityOSV Advisory· Published Sep 9, 2024· Updated Jan 23, 2026

Keycloak-core: open redirect on account page

CVE-2024-7260

Description

An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is safe, when, in fact, it redirects to a malicious server. This issue can result in a victim inadvertently trusting the destination of the redirect, potentially leading to a successful phishing attack or other types of attacks.

Once a crafted URL is made, it can be sent to a Keycloak admin via email for example. This will trigger this vulnerability when the user visits the page and clicks the link. A malicious actor can use this to target users they know are Keycloak admins for further attacks. It may also be possible to bypass other domain-related security checks, such as supplying this as a OAuth redirect uri. The malicious actor can further obfuscate the redirect_uri using URL encoding, to hide the text of the actual malicious website domain.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Keycloak contains an open redirect vulnerability via crafted referrer/referrer_uri parameters, enabling phishing or bypass of domain checks.

Vulnerability

Description

Keycloak is vulnerable to an open redirect flaw (CVE-2024-7260) where specially crafted URLs using the referrer and referrer_uri parameters can redirect users to an attacker-controlled malicious webpage [1][2]. The root cause lies in insufficient validation of these parameters, allowing a trusted-looking Keycloak URL to actually redirect to an arbitrary external site [1][2].

Exploitation

A crafted URL can be sent to a Keycloak admin via email or other channels; when the admin visits the page and clicks the link, the redirect is triggered [2]. The attack does not require authentication on the part of the target, but the victim must be a Keycloak user (often an admin) who interacts with the malicious link [2]. An attacker can further obfuscate the redirect_uri using URL encoding to hide the malicious domain, making the link appear more legitimate [2]. It also may be possible to bypass OAuth redirect URI checks by supplying this crafted parameter as part of an OAuth flow [2].

Impact

A successful exploit can lead a victim to trust a malicious destination, enabling phishing attacks or other social engineering schemes [1][2]. Since the initial URL appears to be a legitimate Keycloak endpoint, the victim may disclose credentials or sensitive information to the attacker's server [1][2]. This vulnerability can also be leveraged to bypass domain-related security constraints that rely on proper redirect validation [2].

Mitigation

Red Hat has addressed this vulnerability in Keycloak version 24.0.7 images released in RHSA-2024:6502 [3]. Users should update their Keycloak deployments to this or a later patched version to mitigate the risk [3]. The advisory also notes that this fix is available for Red Hat build of Keycloak for OpenShift [3].

References
  1. cve-details
  2. NVD - CVE-2024-7260
  3. https://access.redhat.com/errata/RHSA-2024:6502

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.keycloak:keycloak-coreMaven
< 24.0.724.0.7

Affected products

10

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.