CVE-2026-0976

Vulnerability

Overview

CVE-2026-0976 is an improper input validation vulnerability in Keycloak. The issue arises because Keycloak's JAX-RS routing layer accepts RFC-compliant matrix parameters (e.g., ;param) within URL path segments, while common reverse proxy configurations may ignore or mishandle these parameters when enforcing access restrictions [1][2][4]. This discrepancy allows a remote attacker to craft requests that mask path segments, potentially bypassing proxy-level path filtering.

Exploitation

An attacker can exploit this vulnerability by sending crafted requests such as /realms;abc/master/account to mask path segments [4]. The attack is network-based and requires no authentication to trigger the bypass, though authentication is still required to access the underlying endpoints [4]. The success of exploitation depends on the specific reverse proxy configuration deployed in front of Keycloak [4].

Impact

If successfully exploited, this vulnerability could expose administrative or sensitive endpoints that operators believe are not externally reachable [1][2][4]. While authentication is still required, the bypass of proxy-level filtering could allow attackers to reach endpoints that were intended to be hidden from external access, increasing the attack surface.

Mitigation

As of the publication date (2026-01-15), no patch has been released. Operators should review their reverse proxy configurations to ensure matrix parameters are handled consistently with Keycloak's behavior. The Keycloak project is aware of the issue and may provide updates in future releases [3][4].