CVE-2026-3872

Summary

A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat build of Keycloak 26.226.2.15-1 < *unaffected
Red HatRed Hat build of Keycloak 26.226.2-18 < *unaffected
Red HatRed Hat build of Keycloak 26.226.2-18 < *unaffected
Red HatRed Hat build of Keycloak 26.426.4.11-1 < *unaffected
Red HatRed Hat build of Keycloak 26.426.4-14 < *unaffected
Red HatRed Hat build of Keycloak 26.426.4-14 < *unaffected

Weaknesses

  • CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

Workarounds

To mitigate this vulnerability, avoid using wildcards in redirect_uri configurations within Keycloak. Restricting redirect_uri to explicit, fully qualified URIs prevents the bypass of validation logic. This configuration change may require a service restart or reload to take effect.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

keycloak: Keycloak: Information disclosure due to redirect_uri validation bypass

Additional References

References