CVE-2026-3872
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Summary
A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | Red Hat build of Keycloak 26.2 | 26.2.15-1 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.2 | 26.2-18 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.2 | 26.2-18 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4.11-1 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4-14 < * | unaffected |
| Red Hat | Red Hat build of Keycloak 26.4 | 26.4-14 < * | unaffected |
Weaknesses
- CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
Workarounds
To mitigate this vulnerability, avoid using wildcards in redirect_uri configurations within Keycloak. Restricting redirect_uri to explicit, fully qualified URIs prevents the bypass of validation logic. This configuration change may require a service restart or reload to take effect.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
keycloak: Keycloak: Information disclosure due to redirect_uri validation bypass
Additional References
- https://access.redhat.com/security/cve/CVE-2026-3872
- https://bugzilla.redhat.com/show_bug.cgi?id=2445988
- https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-3872.json
- https://access.redhat.com/errata/RHSA-2026:6476
- https://access.redhat.com/errata/RHSA-2026:6478
- https://access.redhat.com/errata/RHSA-2026:6475
- https://access.redhat.com/errata/RHSA-2026:6477
References
- https://access.redhat.com/errata/RHSA-2026:6475
- https://access.redhat.com/errata/RHSA-2026:6476
- https://access.redhat.com/errata/RHSA-2026:6477
- https://access.redhat.com/errata/RHSA-2026:6478
- https://access.redhat.com/security/cve/CVE-2026-3872
- https://bugzilla.redhat.com/show_bug.cgi?id=2445988
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.