CVE-2026-37977: Origin Validation Error in Red Hat Red Hat Build of Keycloak
A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in Keycloak's User-Managed Access (UMA) token endpoint. This flaw occurs because the `azp` claim from a client-supplied JSON Web Token (JWT) is used to set the `Access-Control-Allow-Origin` header before the JWT signature is validated. When a specially crafted JWT with an attacker-controlled `azp` value is processed, this value is reflected as the CORS origin, even if the grant is later rejected. This can lead to the exposure of low-sensitivity information from authorization server error responses, weakening origin isolation, but only when a target client is misconfigured with `webOrigins: ["*"]`.
AI Analysis
Technical Summary
This vulnerability in Red Hat Build of Keycloak's User-Managed Access (UMA) token endpoint allows a remote attacker to inject a malicious origin into the Access-Control-Allow-Origin header by supplying a specially crafted JWT with an attacker-controlled 'azp' claim. The flaw occurs because the header is set prior to JWT signature validation, enabling origin reflection even when the token is invalid. This weakens origin isolation and may expose low-sensitivity authorization server error information, but only if the client is configured with permissive CORS settings (webOrigins: ['*']).
Potential Impact
The impact is limited to the exposure of low-sensitivity information from authorization server error responses due to weakened origin isolation. There is no direct compromise of confidentiality, integrity, or availability of the system. The vulnerability requires a misconfiguration (webOrigins: ['*']) on the client side to be exploitable. The CVSS score is 3.7 (low severity), reflecting limited impact and the requirement for high attack complexity.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-37977 for current remediation guidance. Until an official fix is available, avoid configuring clients with webOrigins set to ['*'] to prevent exploitation. No other specific mitigations are indicated by the vendor advisory.
CVE-2026-37977: Origin Validation Error in Red Hat Red Hat Build of Keycloak
Description
A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in Keycloak's User-Managed Access (UMA) token endpoint. This flaw occurs because the `azp` claim from a client-supplied JSON Web Token (JWT) is used to set the `Access-Control-Allow-Origin` header before the JWT signature is validated. When a specially crafted JWT with an attacker-controlled `azp` value is processed, this value is reflected as the CORS origin, even if the grant is later rejected. This can lead to the exposure of low-sensitivity information from authorization server error responses, weakening origin isolation, but only when a target client is misconfigured with `webOrigins: ["*"]`.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in Red Hat Build of Keycloak's User-Managed Access (UMA) token endpoint allows a remote attacker to inject a malicious origin into the Access-Control-Allow-Origin header by supplying a specially crafted JWT with an attacker-controlled 'azp' claim. The flaw occurs because the header is set prior to JWT signature validation, enabling origin reflection even when the token is invalid. This weakens origin isolation and may expose low-sensitivity authorization server error information, but only if the client is configured with permissive CORS settings (webOrigins: ['*']).
Potential Impact
The impact is limited to the exposure of low-sensitivity information from authorization server error responses due to weakened origin isolation. There is no direct compromise of confidentiality, integrity, or availability of the system. The vulnerability requires a misconfiguration (webOrigins: ['*']) on the client side to be exploitable. The CVSS score is 3.7 (low severity), reflecting limited impact and the requirement for high attack complexity.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-37977 for current remediation guidance. Until an official fix is available, avoid configuring clients with webOrigins set to ['*'] to prevent exploitation. No other specific mitigations are indicated by the vendor advisory.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-04-06T07:48:39.721Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-37977","vendor":"Red Hat"}]
Threat ID: 69d372ac0a160ebd9293290b
Added to database: 4/6/2026, 8:45:32 AM
Last enriched: 4/24/2026, 11:07:23 PM
Last updated: 5/21/2026, 7:30:53 PM
Views: 69
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.