CVE-2026-37977— Keycloak: org.keycloak.protocol.oidc.grants.ciba: keycloak: information disclosure via cors header injection due to unvalidated jwt azp claim
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-37977
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Keycloak: org.keycloak.protocol.oidc.grants.ciba: keycloak: information disclosure via cors header injection due to unvalidated jwt azp claim
Source: NVD (National Vulnerability Database)
Vulnerability Description
A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in Keycloak's User-Managed Access (UMA) token endpoint. This flaw occurs because the `azp` claim from a client-supplied JSON Web Token (JWT) is used to set the `Access-Control-Allow-Origin` header before the JWT signature is validated. When a specially crafted JWT with an attacker-controlled `azp` value is processed, this value is reflected as the CORS origin, even if the grant is later rejected. This can lead to the exposure of low-sensitivity information from authorization server error responses, weakening origin isolation, but only when a target client is misconfigured with `webOrigins: ["*"]`.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
源验证错误
Source: NVD (National Vulnerability Database)
Vulnerability Title
Keycloak 访问控制错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Keycloak是Keycloak开源的一种开源身份和访问管理解决方案。 Keycloak存在访问控制错误漏洞,该漏洞源于用户管理访问令牌端点存在跨域资源共享标头注入,可能导致授权服务器错误响应中的低敏感性信息泄露。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Red Hat | Red Hat Build of Keycloak | - | cpe:/a:redhat:build_keycloak: |
II. Public POCs for CVE-2026-37977
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-37977
请登录查看更多情报信息。
Same Patch Batch · Red Hat · 2026-04-06 · 3 CVEs total
| CVE-2026-5673 | 5.6 MEDIUM | Libtheora: libtheora: denial of service or information disclosure via malformed avi file p |
| CVE-2026-5704 | 5.0 MEDIUM | Tar: tar: hidden file injection via crafted archives |
IV. Related Vulnerabilities
Same product: Red Hat Build of Keycloak
- CVE-2026-7500
Org.keycloak.keycloak-services: improper access control on k - CVE-2026-37980
Org.keycloak.forms.login: keycloak: keycloak: arbitrary code - CVE-2026-4874
Org.keycloak.protocol.oidc.grants: org.keycloak.services.man - CVE-2026-4633
Keycloak: keycloak: user enumeration via differential error - CVE-2026-4628
Keycloak: org.keycloak.authorization: keycloak: unauthorized
Same vendor: Red Hat
- CVE-2026-42011
Gnutls: gnutls: security bypass due to incorrect name constr - CVE-2026-42010
Gnutls: gnutls: authentication bypass via nul character in u - CVE-2026-6420
Keylime: keylime: security bypass due to hardcoded tpm quote - CVE-2026-34956
Openvswitch: open vswitch: denial of service via malformed f - CVE-2026-34002
Xorg: xwayland: x.org x server: information disclosure or de
Same weakness: CWE-346
- CVE-2026-6508
RCE in TUBITAK BILGEM's Liderahenk - CVE-2026-43870
Apache Thrift: Node.js web_server.js multi-vulnerability - CVE-2026-7439
AgentFlow Local Web API Content-Type Validation Bypass - CVE-2026-41398
OpenClaw - Unauthorized Agent Request Dispatch via Untrusted - CVE-2026-41393
OpenClaw < 2026.3.31 - Arbitrary DNS Authority Acceptance an
V. Comments for CVE-2026-37977
No comments yet