CVE-2026-3872

EUVD-2026-18206
A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure.
Open Redirect
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.3 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 1%
Affected Products (NVD)
VendorProductVersion
redhatbuild_of_keycloak
-
redhatbuild_of_keycloak
26.2
redhatbuild_of_keycloak
26.2.15
redhatbuild_of_keycloak
26.4
redhatbuild_of_keycloak
26.4.11
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://access.redhat.com/errata/RHSA-2026:6475
https://access.redhat.com/errata/RHSA-2026:6476
https://access.redhat.com/errata/RHSA-2026:6477
https://access.redhat.com/errata/RHSA-2026:6478
https://access.redhat.com/security/cve/CVE-2026-3872
https://bugzilla.redhat.com/show_bug.cgi?id=2445988