Platform
java
Component
keycloak
Fixed in
1.10.0
2.5.4
CVE-2026-37977 describes an Information Disclosure vulnerability discovered in Keycloak. An attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection flaw within the User-Managed Access (UMA) token endpoint. This vulnerability affects Keycloak versions 1.0.0 through 2.5.3 and has been resolved in version 2.5.4.
This vulnerability allows a remote attacker to inject a malicious CORS header by crafting a specially designed JSON Web Token (JWT). The flaw arises because the azp claim within the JWT is used to set the Access-Control-Allow-Origin header before the JWT signature is validated. Even if the grant is subsequently rejected, the attacker-controlled azp value is reflected as the CORS origin, potentially exposing low-sensitivity information. While the CVSS score is LOW, the potential for information leakage, even if limited, warrants immediate attention. This could be leveraged to gather insights into the Keycloak deployment and potentially aid in further attacks.
CVE-2026-37977 was publicly disclosed on 2026-04-06. No public proof-of-concept (PoC) code has been released at the time of writing. The vulnerability is not currently listed on the CISA KEV catalog. The EPSS score is likely to be low, reflecting the limited impact and lack of public exploits.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade Keycloak to version 2.5.4 or later, which contains the fix. As an interim measure, restrict the allowed client origins in Keycloak's configuration to prevent unauthorized requests. Carefully validate JWT signatures before using any claim to set CORS headers. Implement robust input validation to sanitize the azp claim and prevent malicious values from being injected. Review and tighten CORS policies to minimize the potential impact of this vulnerability.
Update Keycloak to version 2.5.4 or later to mitigate the vulnerability. The update corrects the validation of the `azp` claim in the JWT token, preventing CORS header injection. Ensure you review Red Hat documentation for specific upgrade instructions for your environment.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-37977 is a vulnerability in Keycloak where a crafted JWT can inject a malicious CORS header, potentially exposing low-sensitivity information. It affects versions 1.0.0–2.5.3.
If you are running Keycloak versions 1.0.0 through 2.5.3, you are potentially affected by this vulnerability. Upgrade to version 2.5.4 or later to mitigate the risk.
The recommended fix is to upgrade Keycloak to version 2.5.4 or later. Interim mitigations include restricting client origins and validating JWT signatures.
As of the current date, there are no confirmed reports of active exploitation of CVE-2026-37977, but vigilance is still advised.
Refer to the official Keycloak security advisory for detailed information and updates: [https://www.keycloak.org/security/advisories](https://www.keycloak.org/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.