Keycloak accepts redirect URIs containing pre-loaded OIDC response parameters (iss, code, state, session_state) when wildcard redirect URIs are configured on a client. After successful authentication, OIDCRedirectUriBuilder.addParam() appends Keycloak's own response parameters without checking for duplicates, resulting in a polluted redirect URL with duplicate parameters. Client applications using first-wins parameter parsing may trust attacker-controlled values. Successful exploitation requires - a client must have a wildcard redirect uri registered (e.g., http://localhost:8080/*) - the victim must follow an attacker-crafted authorization url - the client application must use a first-wins parsing strategy for duplicate query parameters. This issue affects All versions.