GHSA-v897-pv23-r8cw

Source

https://github.com/advisories/GHSA-v897-pv23-r8cw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-v897-pv23-r8cw/GHSA-v897-pv23-r8cw.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-v897-pv23-r8cw

Downstream

MINI-37w7-7hpc-rh2x

Published

2026-01-15T15:31:17Z

Modified

2026-01-15T23:19:01.306601Z

Severity

3.7 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Keycloak has an improper input validation vulnerability

Details

A flaw was found in Keycloak. This improper input validation vulnerability occurs because Keycloak accepts RFC-compliant matrix parameters in URL path segments, while common reverse proxy configurations may ignore or mishandle them. A remote attacker can craft requests to mask path segments, potentially bypassing proxy-level path filtering. This could expose administrative or sensitive endpoints that operators believe are not externally reachable.

Database specific

{
    "nvd_published_at": "2026-01-15T13:16:04Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-20"
    ],
    "github_reviewed_at": "2026-01-15T23:10:39Z",
    "severity": "LOW"
}

References

Affected packages

Maven / org.keycloak:keycloak-quarkus-server

Package

Name: org.keycloak:keycloak-quarkus-server; View open source insights on deps.dev
Purl: pkg:maven/org.keycloak/keycloak-quarkus-server

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

26.2.5

Affected versions

12.*

12.0.0

12.0.1

12.0.2

12.0.3

12.0.4

13.*

13.0.0

13.0.1

14.*

14.0.0

15.*

15.0.0

15.0.1

15.0.2

15.1.0

15.1.1

16.*

16.0.0

16.1.0

16.1.1

17.*

17.0.0

17.0.1

18.*

18.0.0

18.0.1

18.0.2

19.*

19.0.0

19.0.1

19.0.2

19.0.3

20.*

20.0.0

20.0.1

20.0.2

20.0.3

20.0.4

20.0.5

21.*

21.0.0

21.0.1

21.0.2

21.1.0

21.1.1

21.1.2

22.*

22.0.0

22.0.1

22.0.2

22.0.3

22.0.4

22.0.5

23.*

23.0.0

23.0.1

23.0.2

23.0.3

23.0.4

23.0.5

23.0.6

23.0.7

24.*

24.0.0

24.0.1

24.0.2

24.0.3

24.0.4

24.0.5

25.*

25.0.0

25.0.1

25.0.2

25.0.3

25.0.4

25.0.5

25.0.6

26.*

26.0.0

26.0.1

26.0.2

26.0.4

26.0.5

26.0.6

26.0.7

26.0.8

26.1.0

26.1.1

26.1.2

26.1.3

26.1.4

26.1.5

26.2.0

26.2.1

26.2.2

26.2.3

26.2.4

26.2.5

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-v897-pv23-r8cw/GHSA-v897-pv23-r8cw.json"