Fedora Account System
Red Hat Associate
Red Hat Customer
Improper input validation vulnerability in Keycloak related to the handling of matrix parameters in URL paths. The issue occurs because Keycloak, via its JAX-RS routing layer, accepts RFC-compliant matrix parameters (e.g., ;param) in path segments, while common reverse proxy configurations may ignore or mishandle them when enforcing access restrictions. A remote attacker can craft requests such as /realms;abc/master/account to mask path segments and bypass proxy-level path filtering. Although authentication is still required, this may expose administrative or sensitive endpoints that operators believe are not externally reachable. Exploitation is network-based, requires no authentication, and depends on the reverse proxy configuration in front of Keycloak.