PatchSiren cyber security CVE debrief
CVE-2026-7504 Red Hat CVE debrief
CVE-2026-7504 describes an open-redirect validation bypass in Keycloak when clients use a wildcard (*) in Valid Redirect URIs. A crafted redirect URL can slip past validation because Java URI parsing and Keycloak’s check disagree on how to handle the user-info portion of the authority. The result is that a malicious redirect may be allowed after user interaction, which can expose sensitive information within the domain or support follow-on attacks. NVD lists the issue as HIGH severity and maps it to CWE-601.
- Vendor
- Red Hat
- Product
- Red Hat build of Keycloak 26.2
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-20
Who should care
Keycloak administrators, application owners, and identity/security teams should care most if they use wildcard redirect URI settings. Any environment that relies on login or OAuth-style redirect flows with user-facing redirects is at risk of redirect abuse if the validation logic is not updated and wildcard allowances remain in place.
Technical summary
The flaw is in redirect validation logic. According to the CVE description, if a malicious redirect URL uses multiple @ characters in the user-info section, Java’s URI parser may not extract user-info and instead leaves only the raw authority field. Keycloak’s validation then fails to recognize the malformed user-info, falls back to wildcard matching, and incorrectly accepts the redirect. The published CVSS vector is AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N, indicating network exploitation with required user interaction and potential confidentiality and integrity impact.
Defensive priority
High. This is an externally reachable redirect-validation bypass with user interaction required and potential exposure of sensitive information. Even though availability impact is not listed, the combination of open-redirect behavior and high confidentiality/integrity impact makes review and remediation important for any deployment using wildcard redirect URIs.
Recommended defensive actions
- Identify Keycloak clients configured with wildcard (*) entries in Valid Redirect URIs and remove wildcard use wherever possible.
- Replace wildcard redirect rules with exact, narrowly scoped redirect URI allowlists.
- Apply the vendor fixes and the applicable Red Hat advisories referenced in the source corpus (RHSA-2026:19594 through RHSA-2026:19597) as soon as they are available for your environment.
- Review redirect handling in login and authorization flows for any unexpected redirects or broad URI matching behavior.
- Monitor authentication and redirect logs for suspicious redirect targets or unusual user-facing redirect activity.
- Validate that downstream applications do not depend on permissive redirect behavior before deploying the fix.
Evidence notes
Source corpus indicates NVD published the CVE on 2026-05-19 and modified it on 2026-05-20; those dates are used here as the disclosure timing context. NVD currently shows vulnStatus as Undergoing Analysis. The supplied references include Red Hat security advisories and a Red Hat Bugzilla entry, but the corpus does not provide patch versions or affected release ranges. No KEV listing is present in the supplied data.
Official resources
Publicly published by NVD on 2026-05-19 and modified on 2026-05-20; no KEV listing is present in the supplied corpus.