Open redirect in Keycloak - CVE-2020-10734
Published: April 25, 2022 / Updated: June 29, 2026
Keycloak
Detailed vulnerability description
The vulnerability allows a remote attacker to redirect users to an untrusted site.
The vulnerability exists due to open redirect in the OIDC logout endpoint when handling logout requests without an id_token_hint. A remote attacker can send a specially crafted logout request to redirect users to an untrusted site.
The endpoint does not have CSRF protection.