CVE-2026-3872
Wildcard Redirect URI Bypass in Keycloak Leading to Token Theft
Publication date: 2026-04-02
Last updated on: 2026-04-16
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| redhat | build_of_keycloak | * |
| redhat | build_of_keycloak | 26.2 |
| redhat | build_of_keycloak | 26.2.15 |
| redhat | build_of_keycloak | 26.4 |
| redhat | build_of_keycloak | 26.4.11 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability in Keycloak allows an attacker to steal access tokens through bypassing redirect URI path restrictions, leading to information disclosure.
Such unauthorized access and information disclosure can potentially violate data protection requirements in common standards and regulations like GDPR and HIPAA, which mandate strict controls on access to personal and sensitive information.
Therefore, exploitation of this flaw could result in non-compliance with these regulations due to compromised confidentiality and unauthorized data access.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for improper validation of the redirect_uri parameter in Keycloak, especially when wildcards are used in allowed redirect URIs.
One approach is to review the Keycloak server configuration for redirect URIs that include wildcards and test whether crafted redirect URIs can bypass path restrictions.
Specific commands are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include reviewing and tightening the allowed redirect URI configurations in Keycloak to avoid using wildcards in paths.
Ensure that redirect URIs are explicitly defined without wildcards to prevent attackers from exploiting path bypasses.
Monitor for updates or patches from Keycloak or your Linux distribution and apply them as soon as they become available.
Can you explain this vulnerability to me?
CVE-2026-3872 is a high-severity vulnerability in Keycloak related to improper validation of the redirect_uri parameter.
The flaw allows an attacker to bypass the allowed path restrictions in redirect URIs that use wildcards by exploiting a failure in the validation logic to correctly enforce path constraints.
If an attacker controls another path on the same web server, they can craft a redirect URI that circumvents these restrictions, potentially leading to theft of access tokens.
How can this vulnerability impact me? :
This vulnerability can lead to the theft of access tokens by attackers who exploit the redirect URI validation flaw.
The stolen access tokens can result in unauthorized information disclosure, compromising sensitive data.
Because the vulnerability allows bypassing security restrictions, it poses a significant risk to the confidentiality and integrity of user sessions and data.