CVE-2026-0976: Keycloak Proxy Filter Bypass via URL Parsing Mismatch

Aegiron 8 mins0

CVE ID: CVE-2026-0976
Product: Keycloak
Vulnerability Type: Proxy Filter Bypass / URL Parsing Mismatch
Severity: High (Context-dependent)
CVSS v3.1 Score: 3.7 (Base)
Attack Vector: Network
Authentication Required: No (to attempt)
User Interaction: None
Exploitability: Medium (depends on proxy configuration)
Exploit Availability: No public weaponized exploit; conceptual exploitation is trivial
Status: Patch available / Upgrade recommended

Overview

CVE-2026-0976 is a proxy-level access control bypass vulnerability affecting Keycloak deployments that sit behind reverse proxies, API gateways, or web application firewalls.

The issue occurs due to inconsistent handling of matrix parameters (;) in URL paths between Keycloak and upstream proxy components. While matrix parameters are part of valid RFC URL syntax and are correctly interpreted by Keycloak, many proxies either ignore them, strip them, or fail to normalize them before applying security rules.

This discrepancy allows a remote attacker to craft URLs that appear harmless or blocked to the proxy, but are interpreted differently by Keycloak itself — potentially exposing sensitive or administrative endpoints that were assumed to be protected.

Root Cause Explained

  • Keycloak follows strict RFC URL parsing rules and accepts matrix parameters embedded inside path segments.
  • Many reverse proxies perform path-based filtering but do not properly normalize or inspect URLs containing ;.
  • Because of this mismatch:
    • The proxy evaluates one version of the path
    • Keycloak processes a different logical path

This creates a gap where proxy rules can be bypassed, even though authentication inside Keycloak still exists.

Example of How the Vulnerability Can Be Exploited

(Educational use only)

Assume a reverse proxy blocks access to Keycloak admin or master realm paths:

/realms/master/*

An attacker sends a crafted request:

GET /realms;ignored/master/account HTTP/1.1
Host: keycloak.example.com

What happens:

  • Proxy: May treat ;ignored as irrelevant and fail to match the block rule
  • Keycloak: Parses the path correctly and routes the request internally

Result:

  • The request reaches endpoints that the organization believed were inaccessible from the internet.

Important:
This does not bypass Keycloak authentication, but it exposes endpoints, increasing the attack surface for credential abuse, enumeration, or chained attacks.

Potential Impact

  • Exposure of internal or administrative Keycloak endpoints
  • Increased risk of credential brute-force, token abuse, or misconfiguration exploitation
  • Security controls enforced at the proxy layer become unreliable
  • False sense of perimeter security

The real-world impact is highly dependent on deployment architecture, which is why the CVSS base score appears low while operational risk may be high.

Proof of Concept (PoC) Status

  • No official or public weaponized exploit is currently available
  • Exploitation requires only basic HTTP knowledge
  • Attack logic is simple and reproducible for testing purposes
  • Abuse is easy to attempt but success depends on proxy behavior

This makes the vulnerability attractive for opportunistic attackers once knowledge spreads.

Detection & Threat Hunting Guidance

What to Look For

Monitor for semicolon (;) usage inside URL paths, especially targeting Keycloak endpoints such as:

  • /realms
  • /admin
  • /account
  • /console

Example Suspicious Requests

/realms;test/master
/admin;xyz/console
/auth/realms;param/master

Log Sources to Monitor

  • Reverse proxy access logs (NGINX, Apache, HAProxy, Envoy)
  • Keycloak access logs
  • WAF and API gateway logs
  • Authentication and admin activity logs inside Keycloak

Detection Rules

Proxy / Web Server Logs

;/

or

*

Filter results further by paths containing /realms, /admin, or /account.

SIEM Query Logic

  • Match requests where:
    • URL path contains ;
    • Destination service is Keycloak
    • Source IP is external or untrusted

WAF / IDS Rule Concept

Trigger alert or block if:

  • Request URI contains a semicolon
  • AND request targets Keycloak endpoints

This is a low-noise rule in most environments.

MITRE ATT&CK Mapping

  • T1190 – Exploit Public-Facing Application

This vulnerability fits the category of abusing protocol and parsing differences in exposed identity services.

Mitigation & Hardening Recommendations

Immediate Defensive Actions

  1. Do not rely solely on proxy path filtering
  2. Block or normalize semicolons (;) in URLs at the proxy or WAF
  3. Restrict admin and master realm access by:
    • IP allowlisting
    • VPN
    • Internal network only
  4. Add logging and alerts for unusual path patterns

Long-Term Fix

  • Upgrade Keycloak to a patched version
  • Ensure proxy and backend URL parsing behavior is aligned
  • Review reverse proxy normalization settings
  • Periodically test proxy rules with edge-case URL patterns

Official Patch / Upgrade Link

🔗 Keycloak Official Releases & Security Updates
https://www.keycloak.org/downloads

Always review the release notes for the version you upgrade to and confirm that CVE-2026-0976 is addressed in your chosen build or vendor distribution.

Final Takeaway

CVE-2026-0976 is not a classic exploit but a dangerous architectural weakness when Keycloak is deployed behind improperly configured proxies. Organizations that assume proxy-layer protection without backend validation are most at risk.

Treat this vulnerability as high priority if Keycloak is internet-facing, especially in environments where administrative access is restricted only by URL path rules.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.