Keycloak has Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

GHSA-gv94-wp4h-vv8p · CVE-2026-0707

Published Jan 8, 2026 · Modified Jun 9, 2026

Description

A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-0707
WEB https://github.com/keycloak/keycloak/issues/49433
WEB https://access.redhat.com/errata/RHSA-2026:3947
WEB https://access.redhat.com/errata/RHSA-2026:3948
WEB https://access.redhat.com/security/cve/CVE-2026-0707
WEB https://bugzilla.redhat.com/show_bug.cgi?id=2427768
PACKAGE https://github.com/keycloak/keycloak

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes