CVE-2026-3872
Received Received - Intake
Wildcard Redirect URI Bypass in Keycloak Leading to Token Theft

Publication date: 2026-04-02

Last updated on: 2026-04-16

Assigner: Red Hat, Inc.

Description
A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-14
NVD
CVE-2026-3872
EUVD
EUVD-2026-18206
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
redhat build_of_keycloak *
redhat build_of_keycloak 26.2
redhat build_of_keycloak 26.2.15
redhat build_of_keycloak 26.4
redhat build_of_keycloak 26.4.11
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability in Keycloak allows an attacker to steal access tokens through bypassing redirect URI path restrictions, leading to information disclosure.

Such unauthorized access and information disclosure can potentially violate data protection requirements in common standards and regulations like GDPR and HIPAA, which mandate strict controls on access to personal and sensitive information.

Therefore, exploitation of this flaw could result in non-compliance with these regulations due to compromised confidentiality and unauthorized data access.

Executive Summary

CVE-2026-3872 is a high-severity vulnerability in Keycloak related to improper validation of the redirect_uri parameter.

The flaw allows an attacker to bypass the allowed path restrictions in redirect URIs that use wildcards by exploiting a failure in the validation logic to correctly enforce path constraints.

If an attacker controls another path on the same web server, they can craft a redirect URI that circumvents these restrictions, potentially leading to theft of access tokens.

Impact Analysis

This vulnerability can lead to the theft of access tokens by attackers who exploit the redirect URI validation flaw.

The stolen access tokens can result in unauthorized information disclosure, compromising sensitive data.

Because the vulnerability allows bypassing security restrictions, it poses a significant risk to the confidentiality and integrity of user sessions and data.

Detection Guidance

Detection of this vulnerability involves checking for improper validation of the redirect_uri parameter in Keycloak, especially when wildcards are used in allowed redirect URIs.

One approach is to review the Keycloak server configuration for redirect URIs that include wildcards and test whether crafted redirect URIs can bypass path restrictions.

Specific commands are not provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include reviewing and tightening the allowed redirect URI configurations in Keycloak to avoid using wildcards in paths.

Ensure that redirect URIs are explicitly defined without wildcards to prevent attackers from exploiting path bypasses.

Monitor for updates or patches from Keycloak or your Linux distribution and apply them as soon as they become available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-3872. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart