CVE-2026-3872 PUBLISHED

Keycloak: keycloak: information disclosure due to redirect_uri validation bypass

Assigner: redhat
Reserved: 10.03.2026 Published: 02.04.2026 Updated: 02.04.2026

A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
CVSS Score: 7.3

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	Low	Integrity Impact	High
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	Red Hat
Product	Red Hat build of Keycloak 26.4
Versions	Default: affected unaffected from 26.4-14 to * (excl.)

Vendor	Red Hat
Product	Red Hat build of Keycloak 26.4
Versions	Default: affected unaffected from 26.4.11-1 to * (excl.)

Vendor	Red Hat
Product	Red Hat build of Keycloak 26.4
Versions	Default: affected unaffected from 26.4-14 to * (excl.)

Vendor	Red Hat
Product	Red Hat build of Keycloak 26.4.11
Versions	Default: unaffected

Workarounds

To mitigate this vulnerability, avoid using wildcards in redirect_uri configurations within Keycloak. Restricting redirect_uri to explicit, fully qualified URIs prevents the bypass of validation logic. This configuration change may require a service restart or reload to take effect.

References

Problem Types

URL Redirection to Untrusted Site ('Open Redirect') CWE