A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the Bearer authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications.
If a web server does not fully parse requested URLs before it examines them for authorization, it may be possible for an attacker to bypass authorization protection.