Before reporting an issue

• I have read and understood the above terms for submitting issues, and I understand that my issue may be closed without action if I do not follow them.

Area

core

Describe the bug

If a client_id parameter is sent as client_id=%00, which is a unicode NUL byte, the value is passed all the way to the database. Several databases, including Postgresql, do not support NUL bytes in string inputs and will raise an error like:

ERROR: invalid byte sequence for encoding "UTF8": 0x00 Where: portal "<id>" parameter $1

This results in a logged server-side exception and typically a generic 500 Internal Server Error response to the client.
While not a security vulnerability by itself, it creates log noise. Especially if Keycloak is publicly accessible and targeted by automated scans or bots attempting SQL injection payloads.

Version

26.3.1

Regression

• The issue is a regression

Expected behavior

When a value like %00 is sent as a query parameter, I expect a 400 Bad Request back.

Actual behavior

A query parameter value containing %00 which later is used in a database query, returns a 500 response when running Keycloak on for example Postgresql.

How to Reproduce?

Run Keycloak with a Postgresql database and add %00 to a client_id query parameter.

For example:
http://localhost:8080/realms/master/protocol/openid-connect/auth?client_id=%00&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fadmin%2Fmaster%2Fconsole%2F&response_type=code&scope=openid

Anything else?

No response