Skip to content

CVE-2026-0707: Keycloak Authorization Header Parsing Leading to Potential Security Control Bypass #45649

Closed
cve
#45787
Closed
CVE-2026-0707: Keycloak Authorization Header Parsing Leading to Potential Security Control Bypass#45649
cve
#45787
Assignees
ValeriaEpifanova
Labels
kind/cveIssues identified as CVEs on third-party dependencies, or issues which Keycloak is not affectedpriority/importantMust be worked on very soonrelease/26.4.10release/26.5.4release/26.6.0team/core-clients
@abstractj

Description

@abstractj
abstractj
opened on Jan 21, 2026

Source: https://issues.redhat.com/browse/RHBK-4088

Security Tracking Issue

Flaw:

Keycloak Authorization Header Parsing Leading to Potential Security Control Bypass

Keycloak’s authentication pipeline excessively tolerates non-standard Bearer token formats (case variations, Tab characters, multiple spaces, mixed whitespace) in the Authorization header, creating inconsistencies with front-end security controls (WAF/proxies) and enabling potential bypass risks.

This issue was originally tracked in the private repository as #309. Migrated via lift-embargo process.

Metadata

Metadata

Assignees

Labels

kind/cveIssues identified as CVEs on third-party dependencies, or issues which Keycloak is not affectedpriority/importantMust be worked on very soonrelease/26.4.10release/26.5.4release/26.6.0team/core-clients

Type

cve

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions