Medium severity5.3GHSA Advisory· Published Jan 8, 2026· Updated Apr 15, 2026

CVE-2026-0707

Description

A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.keycloak:keycloak-parentMaven	<= 26.5.0	—

Affected products

Keycloak/KeycloakGHSA
Range: <= 26.5.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-gv94-wp4h-vv8pghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-0707ghsaADVISORY
access.redhat.com/errata/RHSA-2026:3947nvdWEB
access.redhat.com/errata/RHSA-2026:3948nvdWEB
access.redhat.com/security/cve/CVE-2026-0707nvdWEB
bugzilla.redhat.com/show_bug.cginvdWEB

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000