VYPR
← All advisories
High severity8.1NVD Advisory· Published May 19, 2026· Updated May 20, 2026

CVE-2026-7504

CVE-2026-7504

Description

A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information within the domain or facilitating further attacks. This vulnerability specifically affects Keycloak clients configured with a wildcard (*) in the "Valid Redirect URIs" field and requires user interaction to be successfully exploited.

The issue stems from a discrepancy in how Keycloak and the underlying Java URI implementation handle the user-info component of a URL. If a malicious redirect URL is constructed using multiple @ characters in the user-info section, Java's URI parser fails to extract the user-info, leaving only the raw authority field. Consequently, Keycloak's validation check fails to detect the malformed user-info, falls back to a wildcard comparison, and incorrectly permits the malicious redirect.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Keycloak open redirect via crafted user-info in redirect URL when wildcard Valid Redirect URIs are used.

Vulnerability

A flaw in Keycloak's URL validation logic during redirect operations allows an open redirect when a client is configured with a wildcard (*) in the "Valid Redirect URIs" field. The issue arises from a discrepancy between Keycloak's validation and Java's URI parser when handling multiple @ characters in the user-info component of a URL. Java's parser fails to extract the user-info, leaving only the raw authority, causing Keycloak to fall back to a wildcard comparison and incorrectly permit the malicious redirect. Affected versions include Keycloak prior to 26.4.12 and 26.2.16. [1][2][3][4]

Exploitation

An attacker must craft a redirect URL containing multiple @ characters in the user-info section (e.g., http://valid.example.com@evil.com) and trick a user into clicking the malicious link. No authentication is required; the vulnerability is triggered during the OAuth2/OIDC redirect flow. [1]

Impact

Successful exploitation enables an attacker to redirect a user to an arbitrary external URL, bypassing the intended redirect URI validation. This can lead to phishing attacks, disclosure of sensitive information such as authorization codes or tokens, and facilitate further attacks. [1]

Mitigation

Red Hat released fixed versions on 2026-05-20: Keycloak 26.4.12 (RHSA-2026:19597 and RHSA-2026:19596) and Keycloak 26.2.16 (RHSA-2026:19595). Users should update to these versions. As a workaround, avoid using wildcard (*) in Valid Redirect URIs; instead, specify explicit, allowed redirect URIs. [2][3][4]

References
  1. cve-details
  2. https://access.redhat.com/errata/RHSA-2026:19597
  3. https://access.redhat.com/errata/RHSA-2026:19595
  4. https://access.redhat.com/errata/RHSA-2026:19596

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

6

News mentions

0

No linked articles in our index yet.