Keycloak Services has Improper Validation of Consistency within Input
Moderate severity
GitHub Reviewed
Published
May 27, 2026
to the GitHub Advisory Database
•
Updated Jul 1, 2026
Package
Affected versions
>= 26.5.0, <= 26.6.4
<= 26.4.7
Patched versions
None
Description
Published by the National Vulnerability Database
May 27, 2026
Published to the GitHub Advisory Database
May 27, 2026
Reviewed
Jul 1, 2026
Last updated
Jul 1, 2026
A flaw was found in Keycloak, an open-source identity and access management solution. When a client application is configured to accept broad redirect Uniform Resource Identifiers (URIs), a remote attacker can manipulate the authentication process by crafting a special web address. If a user clicks this link, the client application might incorrectly prioritize attacker-controlled information over legitimate data. This vulnerability, known as HTTP parameter pollution, could allow an attacker to bypass security measures or gain unauthorized access to resources.
References