Codestin Search App

ValeriaEpifanova · 2026-01-27T13:21:57Z

Add validation on Authorization Header to fix GHSA-gv94-wp4h-vv8p:

case-insensitive validation of the Bearer scheme
strict enforcement of a single ASCII space separator
rejection of non-standard whitespaces
validate token value by RFC6750:

b64token    = 1*( ALPHA / DIGIT /"-" / "." / "_" / "~" / "+" / "/" ) *"="
credentials = "Bearer" 1*SP b64token

rmartinc

Thanks @ValeriaEpifanova for the PR! I added some suggestions and besides we will need tests for this.

I created a quick test using the admin whoAmI endpoint in this class. You can create more methods that test other prefixes like commented in the issue (BEARER , Bearer , Bearer\t,...).

There is only snag for this, current implementations that uses some spaces or different case will fail after this PR. I don't know if we need a configuration to revert to the previous wrong behavior or not. We have used previously configurations in the OIDC factory to allow old behaviors (for example in this commit fa383bf). @mposolda WDYT? Do we allow previous behavior with a switch or do we just follow the spec?

services/src/main/java/org/keycloak/services/managers/AppAuthManager.java

rmartinc · 2026-02-05T12:14:07Z

If the change is just the space I would go without any configuration switch. So just add the test class and check that several spaces or a tab is not valid. Let's see what the maintainers think about this. Thanks @ValeriaEpifanova!

mposolda · 2026-02-05T13:47:14Z

@ValeriaEpifanova @rmartinc +1 that bearer should be case-insensitive. It probably does not increase security to treat it case-sensitive, but rather introducing issues. We had already issues in the past when people using Authorization: bearer and they had issues (AFAIR some of the standard OIDC adapters used bearer at some point... ).

Hopefully we can go without config option on this. +1 to just have a test and should be good to go IMO.

ValeriaEpifanova · 2026-02-06T13:42:00Z

Thanks for the review @rmartinc @mposolda . I've added tests. I took the class you @rmartinc created for this purpose and added more tests. I've also fixed the code, but I've left the header validation case-insensitive.
I didn't add a test where there's a space before Bearer Bearer. I assume that RestEasy itself might be using trim() under the hood. This request returns a 200 status.

rmartinc

Thanks @ValeriaEpifanova! I think that it's OK, just a minor comment but I don't think that it is important. And it's usually better doing rebase instead of merge to update the branch. @mposolda please launch the tests and check if this is OK to you.

rmartinc · 2026-02-09T08:49:08Z

services/src/main/java/org/keycloak/services/managers/AppAuthManager.java


-        String tokenString = split[1];
-        if (ObjectUtil.isBlank(tokenString)) {
+        if (ObjectUtil.isBlank(tokenString) || tokenString.contains(" ")) {


Is there any difference adding the tokenString.contains(" ") or not adding it?

There is a difference. For example, "Bearer 2SP token" is not blank, so the code would continue processing the token. If next space after first was before token value. Token value will be " token".

But I suppose token would fail because it's not a valid token for the space at the beginning. But no problem, now we have tests, so we are covered.

You're right, and at first I thought the same thing. But the point of the CVE is that, according to the RFC, there must be strictly one space between Bearer and token.
credentials = "Bearer" 1*SP b64token

ValeriaEpifanova · 2026-02-09T09:02:52Z

Got it, thanks @rmartinc — I’ll keep your advice about using rebase instead of merge in mind for the future.

rmartinc · 2026-02-10T07:57:51Z

Hey @ValeriaEpifanova! The build is failing because the imports, just run mvn spotless:apply to fix the imports. Thanks!

…ader with Bearer, add tests Signed-off-by: Valeria Epifanova <[email protected]>

ValeriaEpifanova · 2026-02-10T08:57:17Z

Done @rmartinc
Thanks for help! I think we can start it again

mposolda

@ValeriaEpifanova @rmartinc Thanks!

…er, add tests (keycloak#45787) Closes keycloak#45649 Signed-off-by: Valeria Epifanova <[email protected]> (cherry picked from commit 05ff44b)

…er, add tests (keycloak#45787) Closes keycloak#45649 Signed-off-by: Valeria Epifanova <[email protected]> (cherry picked from commit 05ff44b) Signed-off-by: rmartinc <[email protected]>

…er, add tests (keycloak#45787) Closes keycloak#45649 Signed-off-by: Valeria Epifanova <[email protected]>

ValeriaEpifanova requested a review from a team as a code owner January 27, 2026 13:21

ValeriaEpifanova mentioned this pull request Jan 27, 2026

CVE-2026-0707: Keycloak Authorization Header Parsing Leading to Potential Security Control Bypass #45649

Closed

ahus1 added area/oidc Indicates an issue on OIDC area team/core-clients labels Jan 29, 2026

rmartinc suggested changes Feb 5, 2026

View reviewed changes

mposolda self-assigned this Feb 5, 2026

rmartinc approved these changes Feb 9, 2026

View reviewed changes

ValeriaEpifanova force-pushed the bearer-validation-strict branch 2 times, most recently from 0417d35 to a1e5dc7 Compare February 9, 2026 14:21

ValeriaEpifanova force-pushed the bearer-validation-strict branch 3 times, most recently from e2c749f to da8f486 Compare February 10, 2026 08:39

Issuer 45649: patch CVE-2026-0707. Add validation on Authorization He…

fd5225a

…ader with Bearer, add tests Signed-off-by: Valeria Epifanova <[email protected]>

ValeriaEpifanova force-pushed the bearer-validation-strict branch from da8f486 to fd5225a Compare February 10, 2026 08:53

mposolda approved these changes Feb 10, 2026

View reviewed changes

mposolda merged commit 05ff44b into keycloak:main Feb 10, 2026
82 checks passed

rmartinc mentioned this pull request Feb 10, 2026

Patch CVE-2026-0707. Add validation on Authorization Header with Bearer, add tests (26.5) #46184

Merged

rmartinc mentioned this pull request Feb 10, 2026

Patch CVE-2026-0707. Add validation on Authorization Header with Bearer, add tests (26.4) #46190

Merged

msdaly200 pushed a commit to msdaly200/keycloak that referenced this pull request Feb 13, 2026

Patch CVE-2026-0707. Add validation on Authorization Header with Bear…

f1daa4a

…er, add tests (keycloak#45787) Closes keycloak#45649 Signed-off-by: Valeria Epifanova <[email protected]>

Conversation

ValeriaEpifanova commented Jan 27, 2026

Uh oh!

rmartinc left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

rmartinc commented Feb 5, 2026

Uh oh!

mposolda commented Feb 5, 2026

Uh oh!

ValeriaEpifanova commented Feb 6, 2026

Uh oh!

rmartinc left a comment

Choose a reason for hiding this comment

Uh oh!

rmartinc Feb 9, 2026

Choose a reason for hiding this comment

Uh oh!

ValeriaEpifanova Feb 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

rmartinc Feb 9, 2026

Choose a reason for hiding this comment

Uh oh!

ValeriaEpifanova Feb 9, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

ValeriaEpifanova commented Feb 9, 2026

Uh oh!

rmartinc commented Feb 10, 2026

Uh oh!

ValeriaEpifanova commented Feb 10, 2026

Uh oh!

mposolda left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

ValeriaEpifanova Feb 9, 2026 •

edited

Loading

ValeriaEpifanova Feb 9, 2026 •

edited

Loading