CVE-2026-37977
3.7 LOWA flaw was found in Keycloak
Published: 2026-04-06 · Last updated: 2026-06-10
Severity and scoring
- CVSS
- 3.7 LOW
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
- CWE
- CWE-346
Affected products
| Vendor | Product |
|---|---|
| redhat | build_of_keycloak |
Description
A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in Keycloak's User-Managed Access (UMA) token endpoint. This flaw occurs because the `azp` claim from a client-supplied JSON Web Token (JWT) is used to set the `Access-Control-Allow-Origin` header before the JWT signature is validated. When a specially crafted JWT with an attacker-controlled `azp` value is processed, this value is reflected as the CORS origin, even if the grant is later rejected. This can lead to the exposure of low-sensitivity information from authorization server error responses, weakening origin isolation, but only when a target client is misconfigured with `webOrigins: ["*"]`.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-37977
- [Other]https://access.redhat.com/errata/RHSA-2026:25097
- [Other]https://access.redhat.com/errata/RHSA-2026:25098
- [Vendor advisory]https://access.redhat.com/security/cve/CVE-2026-37977
- [Vendor advisory]https://bugzilla.redhat.com/show_bug.cgi?id=2455324
Related CVEs
Same vendor
- CVE-2026-50259 — A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland (7.8 HIGH)
- CVE-2026-50258 — A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland (7.8 HIGH)
- CVE-2026-50257 — A use-after-free flaw was found in the X.Org X server and Xwayland in miSyncDestroyFence() (7.8 HIGH)
- CVE-2026-50256 — A stack-based buffer overflow flaw was found in the X.Org X server and Xwayland (7.8 HIGH)
- CVE-2026-1784 — The Route OpenShift resource allows to define routes to make pods reachable at a subdomain through HAProxy (8.8 HIGH)
Same CWE
- CVE-2026-42558 — Xibo is an open source digital signage platform with a web content management system and Windows display player software (7.6 HIGH)
- CVE-2026-10846 — NLnet Labs ldns 1.2.0 up to and including versions 1.9.0, when used in applications as (stub) resolver over UDP, lacks matching the query...
- CVE-2026-44755 — SAP Business Objects Business Intelligence Platform does not sufficiently validate email sending parameters supplied by authenticated use... (4.3 MEDIUM)
- CVE-2026-11693 — Inappropriate implementation in Plugins in Google Chrome prior to 149.0.7827.103 allowed a remote attacker who had compromised the render... (8.1 HIGH)
- CVE-2026-43972 — Origin Validation Error vulnerability in ninenines gun (gun_http2 module) allows cross-origin cookie injection via unvalidated HTTP/2 PUS...