CVE-2026-7504: URL Redirection to Untrusted Site ('Open Redirect') in Red Hat Red Hat Build of Keycloak
CVE-2026-7504 is a high-severity open redirect vulnerability in the Red Hat Build of Keycloak. It arises from a flaw in Keycloak's URL validation logic during redirect operations, specifically when clients use a wildcard (*) in the "Valid Redirect URIs" configuration. The vulnerability exploits a discrepancy between Keycloak and Java's URI parser handling of the user-info component containing multiple '@' characters, allowing attackers to bypass validation and redirect users to unauthorized URLs. Exploitation requires user interaction. This could lead to exposure of sensitive information or facilitate further attacks within the domain.
AI Analysis
Technical Summary
This vulnerability in Red Hat Build of Keycloak involves improper validation of redirect URLs when the client configuration includes a wildcard in the "Valid Redirect URIs" field. The root cause is a mismatch between Keycloak's validation logic and the Java URI parser's handling of the user-info section of URLs containing multiple '@' characters. Java's parser fails to extract user-info correctly, causing Keycloak to fall back to a permissive wildcard check and incorrectly allow malicious redirects. Successful exploitation requires user interaction and can lead to unauthorized URL redirection.
Potential Impact
Successful exploitation allows attackers to redirect users to untrusted URLs despite validation controls, potentially exposing sensitive information within the domain or enabling further attacks such as phishing. The CVSS score of 8.1 indicates high severity with network attack vector, low attack complexity, no privileges required, user interaction needed, and high confidentiality and integrity impact. There is no indication of availability impact or known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://access.redhat.com/security/cve/CVE-2026-7504 for current remediation guidance. Until an official fix is available, avoid configuring Keycloak clients with a wildcard (*) in the "Valid Redirect URIs" field to reduce exposure. Monitor Red Hat's advisory for updates and apply official patches promptly once released.
CVE-2026-7504: URL Redirection to Untrusted Site ('Open Redirect') in Red Hat Red Hat Build of Keycloak
Description
CVE-2026-7504 is a high-severity open redirect vulnerability in the Red Hat Build of Keycloak. It arises from a flaw in Keycloak's URL validation logic during redirect operations, specifically when clients use a wildcard (*) in the "Valid Redirect URIs" configuration. The vulnerability exploits a discrepancy between Keycloak and Java's URI parser handling of the user-info component containing multiple '@' characters, allowing attackers to bypass validation and redirect users to unauthorized URLs. Exploitation requires user interaction. This could lead to exposure of sensitive information or facilitate further attacks within the domain.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in Red Hat Build of Keycloak involves improper validation of redirect URLs when the client configuration includes a wildcard in the "Valid Redirect URIs" field. The root cause is a mismatch between Keycloak's validation logic and the Java URI parser's handling of the user-info section of URLs containing multiple '@' characters. Java's parser fails to extract user-info correctly, causing Keycloak to fall back to a permissive wildcard check and incorrectly allow malicious redirects. Successful exploitation requires user interaction and can lead to unauthorized URL redirection.
Potential Impact
Successful exploitation allows attackers to redirect users to untrusted URLs despite validation controls, potentially exposing sensitive information within the domain or enabling further attacks such as phishing. The CVSS score of 8.1 indicates high severity with network attack vector, low attack complexity, no privileges required, user interaction needed, and high confidentiality and integrity impact. There is no indication of availability impact or known exploits in the wild at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory at https://access.redhat.com/security/cve/CVE-2026-7504 for current remediation guidance. Until an official fix is available, avoid configuring Keycloak clients with a wildcard (*) in the "Valid Redirect URIs" field to reduce exposure. Monitor Red Hat's advisory for updates and apply official patches promptly once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-04-30T14:48:04.317Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
- Vendor Advisory Urls
- [{"url":"https://access.redhat.com/security/cve/CVE-2026-7504","vendor":"Red Hat"}]
Threat ID: 6a0c47d9ec166c07b097b835
Added to database: 5/19/2026, 11:22:01 AM
Last enriched: 5/19/2026, 11:36:48 AM
Last updated: 5/19/2026, 12:31:00 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.