Keycloak CVE-2026-7504: Critical URL Validation Bypass

A high-severity vulnerability, CVE-2026-7504, has been identified in Keycloak’s URL validation logic, according to the National Vulnerability Database. This flaw allows an attacker to bypass redirect validation, potentially leading to unauthorized redirects and the exposure of sensitive information within the domain, or facilitating further attacks. The exploit requires user interaction and specifically impacts Keycloak clients configured with a wildcard (*) in their “Valid Redirect URIs” field.

The root cause lies in a discrepancy between Keycloak’s validation and Java’s URI implementation. An attacker can craft a malicious redirect URL using multiple ‘@’ characters within the user-info component. Java’s URI parser then fails to extract the user-info, leaving only the raw authority field. Keycloak’s subsequent validation check misses the malformed user-info, falls back to a wildcard comparison, and erroneously permits the malicious redirect. This design oversight effectively nullifies the intended security control for certain configurations.

With a CVSS score of 8.1 (HIGH), this vulnerability presents a significant risk for organizations using vulnerable Keycloak configurations. The ability to redirect users to attacker-controlled pages within a trusted domain can be leveraged for sophisticated phishing, credential harvesting, or session hijacking attacks, making it a critical concern for identity and access management security.