Keycloak, Open Redirect Bypass, CVE-2026-7504 (High) -DC-Jun2026-162

By /

Listen to this Post

How CVE-2026-7504 Works

CVE-2026-7504 is an open redirect vulnerability in Keycloak’s URL validation logic, specifically affecting clients that use a wildcard () in the “Valid Redirect URIs” field. The flaw arises from a subtle discrepancy between how Keycloak validates redirect URIs and how the underlying Java `URI` parser interprets a malformed user‑info component.
When a Keycloak client is configured with as a valid redirect URI, the server is supposed to verify that any redirect target matches the allowed pattern. In a typical OAuth2/OIDC authorization request, the `redirect_uri` parameter is checked against this configured list.
An attacker can construct a malicious `redirect_uri` that contains multiple `@` characters inside the user‑info section (the part before the hostname). For example:
https://[email protected]@trusted.com/callback`
Java’s `URI` class, when parsing such a string, becomes unable to extract the user‑info correctly. Instead of isolating the user‑info, the parser leaves the raw authority field intact – meaning it sees `trusted.com` as the host, while the earlier parts ([email protected]) are discarded or misinterpreted.
Keycloak’s validation routine, however, expects the user‑info to be properly removed. Because the Java parser does not flag the malformed input, Keycloak’s check fails to notice the embedded malicious payload. The validation logic then falls back to the wildcard rule (``), which matches anything, and incorrectly allows the redirect to proceed.
Once the user clicks the malicious link (user interaction is required), they are redirected to an arbitrary URL controlled by the attacker, which can be used for phishing, credential theft, or other follow‑up attacks. The vulnerability is triggered only when the client has a wildcard in its valid redirect URIs, making it a configuration‑dependent flaw.
<h2 style="color: blue;">DailyCVE Form</h2>
Platform: ....... Red Hat Keycloak
Version: ........ Prior 26.6.2
Vulnerability :.. Open Redirect Bypass
Severity: ....... High (CVSS 8.1)
date: ........... 2026-05-19
<h2 style="color: blue;">Prediction: ..... 2026-05-19 (fixed)</h2>
<h2 style="color: blue;">What Undercode Say</h2>

Check if any client uses a wildcard in Valid Redirect URIs
kcadm.sh get clients -r <REALM> | jq '.[] | select(.redirectUris[] | contains(""))'
Test for the bypass using a crafted redirect_uri
curl -i "https://keycloak-server/auth/realms/<REALM>/protocol/openid-connect/auth?client_id=<CLIENT>&redirect_uri=https%3A%2F%2Fevil.com%40attacker.com%40trusted.com%2Fcallback&response_type=code&scope=openid"

<h2 style="color: blue;">Exploit</h2>
1. Identify a Keycloak client configured with `` in its “Valid Redirect URIs”.
2. Craft an authorization request URL that includes a `redirect_uri` parameter with multiple `@` characters, e.g.:
`https://keycloak.example.com/auth/realms/master/protocol/openid-connect/auth?client_id=vulnerable-client&redirect_uri=https://[email protected]@trusted.com/callback&response_type=code`
3. Trick a user into clicking the crafted link (e.g., via phishing email).
4. After user consent, Keycloak validates the redirect URI incorrectly and redirects the user to `https://[email protected]@trusted.com/callback` – which the Java URI parser resolves totrusted.com`, while the attacker controls the actual destination.

Protection

  • Upgrade to Keycloak version 26.6.2 or later.
  • Remove the wildcard (“) from “Valid Redirect URIs”; use explicit, allowed redirect URIs instead.
  • If a wildcard is unavoidable, implement additional server‑side validation of the `redirect_uri` parameter.
  • Monitor access logs for suspicious patterns (e.g., multiple `@` characters in redirect URIs).

Impact

Successful exploitation allows an attacker to:

  • Redirect users to a malicious site under the attacker’s control.
  • Perform phishing attacks that appear to originate from the trusted Keycloak domain.
  • Bypass OAuth2/OIDC redirect URI restrictions, potentially leaking authorization codes or tokens to an attacker‑controlled endpoint.
  • Facilitate further attacks such as session fixation, credential harvesting, or cross‑site scripting (XSS) if combined with other vulnerabilities.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top