CVE-2026-0707
MediumCVSS 5.3Summary
A flaw was found in Keycloak regarding the authorization header parser. This parser is overly permissive regarding the formatting of the 'Bearer' authentication scheme, accepting non-standard characters as separators and tolerating case variations that deviate from RFC 6750 specifications.
Risk Assessment
This vulnerability may lead to unauthorized access to resources, as an attacker could exploit non-standard characters in authorization headers, potentially misleading the authorization system.
Recommendation
It is recommended to update Keycloak to the latest version that fixes the authorization header parser to ensure compliance with RFC 6750 and limit accepted characters.
Original NVD description (English source)
A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications.

