CVE-2026-0976
Low
Low
Medium
High
Critical
3.7
CVSS Score
Published: Jan 15, 2026
Last Modified: Jan 15, 2026
Vulnerability Description
A flaw was found in Keycloak. This improper input validation vulnerability occurs because Keycloak accepts RFC-compliant matrix parameters in URL path segments, while common reverse proxy configurations may ignore or mishandle them. A remote attacker can craft requests to mask path segments, potentially bypassing proxy-level path filtering. This could expose administrative or sensitive endpoints that operators believe are not externally reachable.
CVSS Metrics
Common Vulnerability Scoring System
Vector String:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
N
Attack Complexity
H
Privileges Required
N
User Interaction
N
Scope
U
Confidentiality
L
Integrity
N
Availability
N
Severity Details
3.7
out of 10.0
Low
Key Information
- Published Date
- January 15, 2026
