GHSA-5v8v-xvjv-57x7
Keycloak vulnerable to information disclosure via CORS header injection due to unvalidated JWT azp claim
Details
A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in Keycloak's User-Managed Access (UMA) token endpoint. This flaw occurs because the `azp` claim from a client-supplied JSON Web Token (JWT) is used to set the `Access-Control-Allow-Origin` header before the JWT signature is validated. When a specially crafted JWT with an attacker-controlled `azp` value is processed, this value is reflected as the CORS origin, even if the grant is later rejected. This can lead to the exposure of low-sensitivity information from authorization server error responses, weakening origin isolation, but only when a target client is misconfigured with `webOrigins: ["*"]`.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 26.4.13 # pom.xml: bump <version>26.4.13</version> for org.keycloak:keycloak-services 26.5.0 Fixed in: 26.6.3 # pom.xml: bump <version>26.6.3</version> for org.keycloak:keycloak-services References
- https://nvd.nist.gov/vuln/detail/CVE-2026-37977 [ADVISORY]
- https://github.com/keycloak/keycloak/issues/48036 [WEB]
- https://github.com/keycloak/keycloak/pull/49512 [WEB]
- https://github.com/keycloak/keycloak/commit/1439bd58a9f25b0d28d0400015f49f35f227ce04 [WEB]
- https://github.com/keycloak/keycloak/commit/461ce79a6cd6bfef7ca7fa41da287a3127f47ae4 [WEB]
- https://github.com/keycloak/keycloak/commit/ad34724a5d1ba8b6edf7a2c8c83826b1c20539e7 [WEB]
- https://access.redhat.com/errata/RHSA-2026:25097 [WEB]
- https://access.redhat.com/errata/RHSA-2026:25098 [WEB]
- https://access.redhat.com/errata/RHSA-2026:30049 [WEB]
- https://access.redhat.com/errata/RHSA-2026:30050 [WEB]
- https://access.redhat.com/security/cve/CVE-2026-37977 [WEB]
- https://bugzilla.redhat.com/show_bug.cgi?id=2455324 [WEB]
- https://github.com/keycloak/keycloak [PACKAGE]