LiveActive security incident?Get immediate response
CVE Record

CVE-2026-0707: Keycloak: keycloak authorization header parsing leading to potential security control bypass

A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications.

MediumCVSS 5.3Not KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

Keycloak may accept malformed Bearer authentication headers that should be rejected. That can weaken controls relying on strict token-header parsing, creating a limited integrity risk rather than a confidentiality or availability event based on the supplied CVSS data.

Executive priority

Treat this as a moderate identity-platform issue. It does not show known exploitation or data disclosure in the bundle, but Keycloak often protects critical applications, so affected deployments should be inventoried and patched through vendor guidance.

Technical view

The flaw is overly permissive Authorization header parsing in Keycloak. Non-standard separators, including tabs, and case deviations from RFC 6750 may be accepted for the Bearer scheme. CVSS 5.3 indicates network reachability, low complexity, no privileges, no user interaction, and low integrity impact.

Likely exposure

Exposure is most likely where Red Hat build of Keycloak 26.4 packages listed as affected process bearer-token traffic. The bundle lists some 26.4 package builds as affected and Red Hat build of Keycloak 26.4.10 as unaffected.

Exploitation context

The source bundle does not identify active exploitation, and KEV is false. The likely abuse scenario is bypassing controls that depend on strict Authorization header formatting, but the sources do not describe a complete exploit chain.

Researcher notes

Evidence is limited to Red Hat and Keycloak public references in the bundle. The core issue is parser permissiveness versus RFC 6750 expectations. Avoid assuming broader upstream or downstream impact unless vendor advisories or deployment evidence confirm it.

Mitigation direction

  • Check Red Hat advisories RHSA-2026:3947 and RHSA-2026:3948 for vendor-approved updates.
  • Inventory Red Hat build of Keycloak 26.4 package versions against the affected list.
  • Prioritize upgrade or replacement of affected rhbk Keycloak packages.
  • Review gateways and custom filters that rely on strict Bearer header parsing.
  • Monitor vendor guidance and the linked Keycloak issue for remediation details.

Validation and detection

  • Confirm deployed Keycloak product, package name, and build version.
  • Compare installed rhbk packages with the affected and unaffected entries in the CVE record.
  • Review authentication logs for unusual Authorization header formatting patterns.
  • Verify compensating controls do not trust malformed Bearer scheme variants.
  • Track remediation status against Red Hat advisory guidance.
Prepared
Confidence
medium
Sources
7

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-551: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-0707 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Medium
CVSS
5.3 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
5Timeline events
1ADP providers
6Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: yesTechnical Impact: partial

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
5.3CVSS 3.1MediumCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N3.91.4redhat

Vulnerability scoring details

Base CVSS 3.1 score

5.3Medium
CVSS 3.1 vector shape for CVE-2026-0707Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. Source timelineredhat

    Made public.

  2. Source timelineredhat

    Reported to Red Hat.

  3. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  4. CVE publishedCVE Program

    The CVE record was published.

  5. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc

Source materials

Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
Red HatRed Hat build of Keycloak 26.4rhbk/keycloak-operator-bundle, 26.4.10-1affected
Red HatRed Hat build of Keycloak 26.4rhbk/keycloak-rhel9, 26.4-12affected
Red HatRed Hat build of Keycloak 26.4rhbk/keycloak-rhel9-operator, 26.4-12affected
Red HatRed Hat build of Keycloak 26.4.10rhbk/keycloak-rhel9unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-551 · source CWE mapping

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.