Copyright © 2012 Red Hat, Inc. All rights reserved. Moderate 2026-05-27T10:18:25 keycloak: org.keycloak.protocol.oidc: HTTP Parameter Pollution in OIDC redirect URI allows response parameter duplication - #GHI-604 4.2 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N CWE-1288

A flaw was found in Keycloak, an open-source identity and access management solution. When a client application is configured to accept broad redirect Uniform Resource Identifiers (URIs), a remote attacker can manipulate the authentication process by crafting a special web address. If a user clicks this link, the client application might incorrectly prioritize attacker-controlled information over legitimate data. This vulnerability, known as HTTP parameter pollution, could allow an attacker to bypass security measures or gain unauthorized access to resources.

This Moderate severity flaw in Keycloak arises from HTTP parameter pollution when a client is configured with a wildcard redirect URI. An attacker could craft a malicious authorization URL that, if clicked by a user, may lead to the client application incorrectly processing attacker-controlled OIDC response parameters. Exploitation is contingent on the client application employing a 'first-wins' strategy for duplicate query parameters, which is not a universal behavior. Red Hat would like to thank Martin Bartoš for reporting this issue. Red Hat Build of Keycloak Fix deferred rhbk/keycloak-rhel9 https://www.cve.org/CVERecord?id=CVE-2026-9689 https://nvd.nist.gov/vuln/detail/CVE-2026-9689