Description
A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure.
Published: 2026-04-02
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure (access token theft)
Action: Apply Patch
AI Analysis

Impact

A flaw in Keycloak allows an attacker who controls another web path on the same server to bypass redirect URI validation that uses wildcards, enabling the attacker to retrieve an access token and disclose sensitive information. This bypass aligns with the improper authorization weakness identified as CWE-601.

Affected Systems

The vulnerability affects Red Hat build of Keycloak versions 26.2 and 26.4, including the 26.2.15 and 26.4.11 patch levels. Services running any of these Red Hat Keycloak builds are potentially exposed.

Risk and Exploitability

The flaw carries a CVSS score of 7.3, indicating high severity, while EPSS information is not available and it is not listed in the CISA KEV catalog. An attacker must control an alternate path on the same web server and supply a redirect URI containing a wildcard to exploit the logic flaw. The risk is moderate to high, with a realistic chance of successful exploitation in environments where wildcard redirect URIs are configured.

Generated by OpenCVE AI on April 2, 2026 at 23:00 UTC.

Remediation

Vendor Workaround

To mitigate this vulnerability, avoid using wildcards in `redirect_uri` configurations within Keycloak. Restricting `redirect_uri` to explicit, fully qualified URIs prevents the bypass of validation logic. This configuration change may require a service restart or reload to take effect.

OpenCVE Recommended Actions

  • Apply the Red Hat update packages that address CVE-2026-3872 (RHSA-2026:6475 through RHSA-2026:6478).
  • After applying the patch, verify that all custom redirect URIs are fully qualified and do not contain wildcards.
  • Reload or restart the Keycloak service to apply configuration changes.
  • Validate that the redirect URI validation now rejects malformed requests from unauthorized paths.

Generated by OpenCVE AI on April 2, 2026 at 23:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cjm2-j6cm-6p6m Keycloak: Redirect URI validation bypass via ..;/ path traversal in OIDC auth endpoint
History

Thu, 16 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:26.2.15:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:26.2:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:26.4.11:*:*:*:text-only:*:*:*
cpe:2.3:a:redhat:build_of_keycloak:26.4:*:*:*:text-only:*:*:*

Fri, 03 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
CPEs cpe:/a:redhat:build_keycloak:26.2::el9
Vendors & Products Redhat build Of Keycloak
References

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak: cpe:/a:redhat:build_keycloak:26.4::el9
References
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure.
Title Keycloak: keycloak: information disclosure due to redirect_uri validation bypass
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-601
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-07T14:53:06.658Z

Reserved: 2026-03-10T09:25:23.875Z

Link: CVE-2026-3872

cve-icon Vulnrichment

Updated: 2026-04-02T13:15:16.494Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T13:16:26.390

Modified: 2026-04-16T20:52:42.840

Link: CVE-2026-3872

cve-icon Redhat

Severity : Important

Publid Date: 2026-04-02T12:30:00Z

Links: CVE-2026-3872 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:18:50Z

Weaknesses