Bug 2429869 (CVE-2026-0976) - CVE-2026-0976 org.keycloak/keycloak-quarkus-server: Keycloak: Proxy bypass due to improper handling of matrix parameters in URL paths
Summary: CVE-2026-0976 org.keycloak/keycloak-quarkus-server: Keycloak: Proxy bypass du...
Keywords:
Status: NEW
Alias: CVE-2026-0976
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-01-15 07:10 UTC by OSIDB Bzimport
Modified: 2026-01-15 11:21 UTC (History)
27 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-01-15 07:10:16 UTC 
Improper input validation vulnerability in Keycloak related to the handling of matrix parameters in URL paths. The issue occurs because Keycloak, via its JAX-RS routing layer, accepts RFC-compliant matrix parameters (e.g., ;param) in path segments, while common reverse proxy configurations may ignore or mishandle them when enforcing access restrictions. A remote attacker can craft requests such as /realms;abc/master/account to mask path segments and bypass proxy-level path filtering. Although authentication is still required, this may expose administrative or sensitive endpoints that operators believe are not externally reachable. Exploitation is network-based, requires no authentication, and depends on the reverse proxy configuration in front of Keycloak.
Note You need to log in before you can comment on or make changes to this bug.