Cyber Resilience

CVE-2026-7504

HighUpdated

Published: 19 May 2026

Published
19 May 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
EPSS Score 0.0050 39.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-7504 is a high-severity Open Redirect (CWE-601) vulnerability in Redhat Build Of Keycloak. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information within the domain or…

more

facilitating further attacks. This vulnerability specifically affects Keycloak clients configured with a wildcard (*) in the "Valid Redirect URIs" field and requires user interaction to be successfully exploited. The issue stems from a discrepancy in how Keycloak and the underlying Java URI implementation handle the user-info component of a URL. If a malicious redirect URL is constructed using multiple @ characters in the user-info section, Java's URI parser fails to extract the user-info, leaving only the raw authority field. Consequently, Keycloak's validation check fails to detect the malformed user-info, falls back to a wildcard comparison, and incorrectly permits the malicious redirect.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
Why these techniques?

Open redirect bypass in public-facing Keycloak auth service directly enables exploitation of the application (T1190) and supports delivery of malicious redirect links for phishing (T1566.002).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-3872Same product: Redhat Build Of Keycloak
CVE-2026-7507Same product: Redhat Build Of Keycloak
CVE-2026-7571Same product: Redhat Build Of Keycloak
CVE-2026-4282Same product: Redhat Build Of Keycloak
CVE-2026-4636Same product: Redhat Build Of Keycloak
CVE-2026-7307Same product: Redhat Build Of Keycloak
CVE-2026-9795Same product: Redhat Build Of Keycloak
CVE-2026-4634Same product: Redhat Build Of Keycloak
CVE-2026-3047Same product: Redhat Build Of Keycloak
CVE-2026-3009Same product: Redhat Build Of Keycloak

Affected Assets

redhat
build of keycloak
26.4 — 26.4.12

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-601

Security awareness includes verifying URLs and avoiding untrusted redirects that lead to malicious sites.

addresses: CWE-601

Validates redirect targets and URLs to ensure they conform to allowed destinations.

References