CVE-2026-37977

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description A flaw exists in Keycloak that allows a remote attacker to exploit a Cross-Origin Resource Sharing (CORS) header injection in the User-Managed Access (UMA) token endpoint. The issue arises because the azp claim from a client-supplied JSON Web Token (JWT) is used to set the Access-Control-Allow-Origin header before JWT signature validation. A crafted JWT with a controlled azp value can be reflected as the CORS origin, potentially exposing low-sensitivity information from authorization server error responses, but only when a client is misconfigured with webOrigins: ['*'].

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.