CVE-2026-3872

HIGH

Keycloak: keycloak: information disclosure due to redirect_uri validation bypass

Title source: cna

Description

A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure.

References (6)

[Issue Tracking, X_Refsource_Redhat] https://bugzilla.redhat.com/show_bug.cgi?id=2445988

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2026:6475

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2026:6476

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2026:6477

[Vendor Advisory] https://access.redhat.com/errata/RHSA-2026:6478

[Vdb Entry, X_Refsource_Redhat] https://access.redhat.com/security/cve/CVE-2026-3872

Scores

CVSS v3 7.3

EPSS 0.0001

EPSS Percentile 1.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-601

Status published

Products (12)

org.keycloak/keycloak-services 0 - 26.5.7Maven

Red Hat/Red Hat build of Keycloak 26.2 26.2-18

Red Hat/Red Hat build of Keycloak 26.2 26.2.15-1

Red Hat/Red Hat build of Keycloak 26.2.15

Red Hat/Red Hat build of Keycloak 26.4 26.4-14

Red Hat/Red Hat build of Keycloak 26.4 26.4.11-1

Red Hat/Red Hat build of Keycloak 26.4.11

redhat/build_of_keycloak

redhat/build_of_keycloak 26.2

redhat/build_of_keycloak 26.2.15

... and 2 more

Published Apr 02, 2026

Tracked Since Apr 02, 2026