{
  "threat_severity" : "Moderate",
  "public_date" : "2026-01-07T00:00:00Z",
  "bugzilla" : {
    "description" : "keycloak: Keycloak Authorization Header Parsing Leading to Potential Security Control Bypass",
    "id" : "2427768",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2427768"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-551",
  "details" : [ "A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the \"Bearer\" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications.", "A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the \"Bearer\" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications." ],
  "statement" : "This vulnerability is rated Moderate for Red Hat because Keycloak's excessive tolerance for non-standard Bearer token formats in the Authorization header can lead to inconsistencies with front-end security controls such as WAFs and proxies. This may enable potential bypass risks, allowing malformed tokens to circumvent intended security policies.",
  "acknowledgement" : "Red Hat would like to thank Guanping Zhang for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat build of Keycloak 26.4",
    "release_date" : "2026-03-05T00:00:00Z",
    "advisory" : "RHSA-2026:3948",
    "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9",
    "package" : "rhbk/keycloak-operator-bundle:26.4.10-1"
  }, {
    "product_name" : "Red Hat build of Keycloak 26.4",
    "release_date" : "2026-03-05T00:00:00Z",
    "advisory" : "RHSA-2026:3948",
    "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9",
    "package" : "rhbk/keycloak-rhel9:26.4-12"
  }, {
    "product_name" : "Red Hat build of Keycloak 26.4",
    "release_date" : "2026-03-05T00:00:00Z",
    "advisory" : "RHSA-2026:3948",
    "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9",
    "package" : "rhbk/keycloak-rhel9-operator:26.4-12"
  }, {
    "product_name" : "Red Hat build of Keycloak 26.4.10",
    "release_date" : "2026-03-05T00:00:00Z",
    "advisory" : "RHSA-2026:3947",
    "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9",
    "package" : "rhbk/keycloak-rhel9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-0707\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-0707" ],
  "name" : "CVE-2026-0707",
  "mitigation" : {
    "value" : "To mitigate this issue, configure any front-end security controls, such as Web Application Firewalls (WAFs) or reverse proxies, to strictly validate and normalize the `Authorization` header before forwarding requests to Keycloak. This ensures that only standard Bearer token formats are processed, preventing potential bypasses.",
    "lang" : "en:us"
  },
  "csaw" : false
}