Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Unvalidated URL Construction in ResourceAdminManager via Matrix Parameter Injection #45694

New issue
New issue
Open
bug
#46300
Open
Unvalidated URL Construction in ResourceAdminManager via Matrix Parameter Injection#45694
bug
#46300
Assignees
graziang
Labels
area/corekind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonteam/core-clients
@abstractj

Description

@abstractj
abstractj
opened on Jan 22, 2026

Before reporting an issue

  • I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

No response

Describe the bug

The ResourceAdminManager class contains a logic flaw in the sendTestNodeAvailabilityRequest method. The application accepts a user-controlled managementUrl and appends a fixed path suffix (/k_test_available) using the UriBuilder utility.

The vulnerability stems from a lack of input validation for matrix parameters (semicolons) within the managementUrl. An attacker can append a semicolon to the end of the URL, causing the system-appended path to be interpreted as a matrix parameter of the preceding segment rather than a distinct path element. This bypass allows the application to send requests to unauthorized internal endpoints, such as local administrative services or cloud metadata providers, provided the attacker has high-level client management privileges.

Version

26.5.1

Regression

  • The issue is a regression

Expected behavior

The managementUrl should be strictly sanitized to prevent path traversal or the inclusion of matrix parameters. The application should validate the URI scheme and implement an allowlist or egress filter to prevent requests from reaching internal loopback or sensitive network ranges.

Actual behavior

The application blindly constructs a URI from user-provided input without sanitization. By injecting a semicolon, the mandatory path suffix is effectively neutralized by downstream parsers, allowing the request to hit the base URL provided by the user. This enables an authenticated administrator to probe internal infrastructure that is otherwise protected by external firewalls.

How to Reproduce?

  1. Authenticate to the admin console with a user possessing the manage-clients role.
  2. Configure or update a client with a malicious adminUrl containing a semicolon, for example: http://internal-service:port/sensitive-path;
  3. Trigger the node availability test by sending a request to /admin/realms/{realm}/clients/{id}/test-nodes-available.
  4. Observe that the outbound request is sent to http://internal-service:port/sensitive-path, with the required /k_test_available suffix being treated as a matrix parameter and ignored by the target.

Anything else?

No response

Metadata

Metadata

Assignees

Labels

area/corekind/bugCategorizes a PR related to a bugpriority/importantMust be worked on very soonteam/core-clients

Type

bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions