Keycloak Header Parser Permissive Bearer Token Validation (CVE-2026-0707)
CVE-2026-0707 Published on January 8, 2026
Keycloak: keycloak authorization header parsing leading to potential security control bypass
A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications.
Vulnerability Analysis
CVE-2026-0707 can be exploited with network access, and does not require authorization privileges or user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality, with no impact on integrity, and no impact on availability.
Timeline
Reported to Red Hat.
Made public.
Weakness Type
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection. For instance, the character strings /./ and / both mean current directory. If /SomeDirectory is a protected directory and an attacker requests /./SomeDirectory, the attacker may be able to gain access to the resource if /./ is not converted to / before the authorization check is performed.
Products Associated with CVE-2026-0707
Want to know whenever a new CVE is published for Red Hat Build Keycloak? stack.watch will email you.
Affected Versions
Red Hat build of Keycloak 26.4:- Version 26.4.10-1 and below * is unaffected.
- Version 26.4-12 and below * is unaffected.
- Version 26.4-12 and below * is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.