Login Sign Up

CVE-2024-7260

6.1 MEDIUM
Authentication Bypass Open Redirect

📋 TL;DR

CVE-2024-7260 is an open redirect vulnerability in Keycloak that allows attackers to craft malicious URLs that appear to be legitimate Keycloak pages but redirect users to malicious websites. This affects Keycloak administrators and users who might click on specially crafted links, potentially leading to phishing attacks or credential theft. The vulnerability can be exploited by sending crafted URLs to Keycloak admins via email or other communication channels.

💻 Affected Systems

Products:
  • Keycloak
Versions: All versions before 24.0.6, 23.0.11, and 22.1.13
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects Keycloak instances with web interfaces accessible to users.

📦 What is this software?

Build Of Keycloak by Redhat

View all CVEs affecting Build Of Keycloak →

Keycloak by Redhat

View all CVEs affecting Keycloak →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Successful phishing attack against Keycloak administrators leading to credential compromise, privilege escalation, and complete system takeover.

🟠

Likely Case

Phishing attacks targeting users to steal credentials or deliver malware through seemingly legitimate Keycloak redirects.

🟢

If Mitigated

Limited impact with user awareness training and proper URL filtering in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires social engineering to get users to click malicious links but is technically simple to implement.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Keycloak 24.0.6, 23.0.11, or 22.1.13

Vendor Advisory: https://access.redhat.com/security/cve/CVE-2024-7260

Restart Required: Yes

Instructions:

1. Download and install Keycloak version 24.0.6, 23.0.11, or 22.1.13 from official sources. 2. Stop the Keycloak service. 3. Apply the update. 4. Restart the Keycloak service. 5. Verify the update was successful.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side validation to reject URLs with suspicious redirect parameters

Configure web application firewall rules to block requests with malformed referrer parameters

🧯 If You Can't Patch

  • Implement strict URL validation and filtering at the network perimeter
  • Deploy user awareness training about phishing risks and suspicious links

🔍 How to Verify

Check if Vulnerable:

Check Keycloak version against affected versions: 24.x < 24.0.6, 23.x < 23.0.11, 22.x < 22.1.13

Check Version:

./kc.sh --version or check Keycloak admin console

Verify Fix Applied:

Verify Keycloak version is 24.0.6, 23.0.11, 22.1.13 or later

📡 Detection & Monitoring

Log Indicators:

  • Unusual redirect patterns in access logs
  • Requests with encoded referrer parameters

Network Indicators:

  • HTTP 302 redirects to unexpected domains
  • Suspicious URL patterns in web traffic

SIEM Query:

source="keycloak" AND (url="*referrer=*" OR url="*redirect_uri=*") AND status=302

📊 Metadata

CVE ID: CVE-2024-7260
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-601
Published: September 9, 2024
Last Updated: October 1, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-7260, you might also want to check these:

CVE-2025-43526 9.8

A URL validation vulnerability in macOS and Safari allows web content opened via file URLs to bypass...

Same vulnerability type (CWE-601)
CVE-2025-55031 9.8

This vulnerability in Firefox and Focus for iOS allows malicious web pages to trigger hybrid passkey...

Same vulnerability type (CWE-601)
CVE-2024-22891 9.8

CVE-2024-22891 is a critical remote code execution vulnerability in Nteract v0.28.0 that allows atta...

Same vulnerability type (CWE-601)