CVE-2026-37977 — LOW (3.7) — White Hats Nepal

Vulnerability Description

A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in Keycloak's User-Managed Access (UMA) token endpoint. This flaw occurs because the `azp` claim from a client-supplied JSON Web Token (JWT) is used to set the `Access-Control-Allow-Origin` header before the JWT signature is validated. When a specially crafted JWT with an attacker-controlled `azp` value is processed, this value is reflected as the CORS origin, even if the grant is later rejected. This can lead to the exposure of low-sensitivity information from authorization server error responses, weakening origin isolation, but only when a target client is misconfigured with `webOrigins: ["*"]`.

CVSS Score

3.7

LOW

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Redhat	Build Of Keycloak	-

Related Weaknesses (CWE)

CWE-346

References

https://access.redhat.com/security/cve/CVE-2026-37977Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2455324Issue TrackingVendor Advisory

FAQ

What is CVE-2026-37977?

CVE-2026-37977 is a vulnerability with a CVSS score of 3.7 (LOW). A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in Keycloak's User-Managed Access (UMA) token endpoint. This flaw occu...

How severe is CVE-2026-37977?

CVE-2026-37977 has been rated LOW with a CVSS base score of 3.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-37977?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Build Of Keycloak.