{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-3872", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-03-10T09:25:23.875Z", "datePublished": "2026-04-02T12:37:30.633Z", "dateUpdated": "2026-04-02T16:34:50.301Z"}, "containers": {"cna": {"title": "Keycloak: keycloak: information disclosure due to redirect_uri validation bypass", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.2", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "26.2.15-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.2::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.2", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "versions": [{"version": "26.2-18", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.2::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.2", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9-operator", "defaultStatus": "affected", "versions": [{"version": "26.2-18", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.2::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.2.15", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "rhbk/keycloak-rhel9", "cpes": ["cpe:/a:redhat:build_keycloak:26.2::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-operator-bundle", "defaultStatus": "affected", "versions": [{"version": "26.4.11-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "versions": [{"version": "26.4-14", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "rhbk/keycloak-rhel9-operator", "defaultStatus": "affected", "versions": [{"version": "26.4-14", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"]}, {"vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4.11", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected", "packageName": "rhbk/keycloak-rhel9", "cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:6475", "name": "RHSA-2026:6475", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:6476", "name": "RHSA-2026:6476", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:6477", "name": "RHSA-2026:6477", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:6478", "name": "RHSA-2026:6478", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2026-3872", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445988", "name": "RHBZ#2445988", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-04-02T12:30:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "description": "URL Redirection to Untrusted Site ('Open Redirect')", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "workarounds": [{"lang": "en", "value": "To mitigate this vulnerability, avoid using wildcards in `redirect_uri` configurations within Keycloak. Restricting `redirect_uri` to explicit, fully qualified URIs prevents the bypass of validation logic. This configuration change may require a service restart or reload to take effect."}], "timeline": [{"lang": "en", "time": "2026-03-10T09:16:29.034Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-02T12:30:00.000Z", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-02T16:34:50.301Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T13:15:11.566412Z", "id": "CVE-2026-3872", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:15:24.946Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-3872", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T13:15:11.566412Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T13:15:16.494Z"}}], "cna": {"title": "Keycloak: keycloak: information disclosure due to redirect_uri validation bypass", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.3, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "versions": [{"status": "unaffected", "version": "26.4-14", "lessThan": "*", "versionType": "rpm"}], "packageName": "keycloak-rhel9-operator-container", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "versions": [{"status": "unaffected", "version": "26.4.11-1", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhbk/keycloak-operator-bundle", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4", "versions": [{"status": "unaffected", "version": "26.4-14", "lessThan": "*", "versionType": "rpm"}], "packageName": "rhbk/keycloak-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:26.4::el9"], "vendor": "Red Hat", "product": "Red Hat build of Keycloak 26.4.11", "packageName": "rhbk/keycloak-rhel9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-10T09:16:29.034Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-04-02T12:30:00.000Z", "value": "Made public."}], "datePublic": "2026-04-02T12:30:00.000Z", "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:6477", "name": "RHSA-2026:6477", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2026:6478", "name": "RHSA-2026:6478", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2026-3872", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445988", "name": "RHBZ#2445988", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "To mitigate this vulnerability, avoid using wildcards in `redirect_uri` configurations within Keycloak. Restricting `redirect_uri` to explicit, fully qualified URIs prevents the bypass of validation logic. This configuration change may require a service restart or reload to take effect."}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-601", "description": "URL Redirection to Untrusted Site ('Open Redirect')"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-02T15:42:53.694Z"}, "x_redhatCweChain": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')"}}, "cveMetadata": {"cveId": "CVE-2026-3872", "state": "PUBLISHED", "dateUpdated": "2026-04-02T15:42:53.694Z", "dateReserved": "2026-03-10T09:25:23.875Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-04-02T12:37:30.633Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure."}], "id": "CVE-2026-3872", "lastModified": "2026-04-03T16:10:52.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.1, "impactScore": 5.2, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2026-04-02T13:16:26.390", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:6475"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:6476"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:6477"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2026:6478"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2026-3872"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445988"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"affected_release": [{"advisory": "RHSA-2026:6476", "cpe": "cpe:/a:redhat:build_keycloak:26.2::el9", "package": "rhbk/keycloak-operator-bundle:26.2.15-1", "product_name": "Red Hat build of Keycloak 26.2", "release_date": "2026-04-02T00:00:00Z"}, {"advisory": "RHSA-2026:6476", "cpe": "cpe:/a:redhat:build_keycloak:26.2::el9", "package": "rhbk/keycloak-rhel9:26.2-18", "product_name": "Red Hat build of Keycloak 26.2", "release_date": "2026-04-02T00:00:00Z"}, {"advisory": "RHSA-2026:6476", "cpe": "cpe:/a:redhat:build_keycloak:26.2::el9", "package": "rhbk/keycloak-rhel9-operator:26.2-18", "product_name": "Red Hat build of Keycloak 26.2", "release_date": "2026-04-02T00:00:00Z"}, {"advisory": "RHSA-2026:6475", "cpe": "cpe:/a:redhat:build_keycloak:26.2::el9", "package": "rhbk/keycloak-rhel9", "product_name": "Red Hat build of Keycloak 26.2.15", "release_date": "2026-04-02T00:00:00Z"}, {"advisory": "RHSA-2026:6478", "cpe": "cpe:/a:redhat:build_keycloak:26.4::el9", "package": "rhbk/keycloak-operator-bundle:26.4.11-1", "product_name": "Red Hat build of Keycloak 26.4", "release_date": "2026-04-02T00:00:00Z"}, {"advisory": "RHSA-2026:6478", "cpe": "cpe:/a:redhat:build_keycloak:26.4::el9", "package": "rhbk/keycloak-rhel9:26.4-14", "product_name": "Red Hat build of Keycloak 26.4", "release_date": "2026-04-02T00:00:00Z"}, {"advisory": "RHSA-2026:6478", "cpe": "cpe:/a:redhat:build_keycloak:26.4::el9", "package": "rhbk/keycloak-rhel9-operator:26.4-14", "product_name": "Red Hat build of Keycloak 26.4", "release_date": "2026-04-02T00:00:00Z"}, {"advisory": "RHSA-2026:6477", "cpe": "cpe:/a:redhat:build_keycloak:26.4::el9", "package": "rhbk/keycloak-rhel9", "product_name": "Red Hat build of Keycloak 26.4.11", "release_date": "2026-04-02T00:00:00Z"}], "bugzilla": {"description": "keycloak: Keycloak: Information disclosure due to redirect_uri validation bypass", "id": "2445988", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445988"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-601", "details": ["A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure."], "mitigation": {"lang": "en:us", "value": "To mitigate this vulnerability, avoid using wildcards in `redirect_uri` configurations within Keycloak. Restricting `redirect_uri` to explicit, fully qualified URIs prevents the bypass of validation logic. This configuration change may require a service restart or reload to take effect."}, "name": "CVE-2026-3872", "public_date": "2026-04-02T12:30:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-3872\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3872"], "statement": "This is an Important information disclosure flaw in Keycloak's `redirect_uri` validation logic. An attacker controlling another path on the same web server could bypass allowed paths in wildcard `redirect_uri` configurations, potentially leading to access token theft. This affects Red Hat Build of Keycloak (RHBK) versions rhbk-26.2 and rhbk-26.4. Red Hat Build of Keycloak (RHBK) version rhbk-26 is not affected.", "threat_severity": "Important"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "Red Hat build of Keycloak 26.4", "source": "cna", "vendor": "Red Hat"}, "product": "build_of_keycloak", "vendor": "redhat"}], "analysis": {"en": {"generated_at": "2026-04-02T23:00:24.761965+00:00", "value": {"mitigation_remediation": ["Apply the Red Hat update packages that address CVE-2026-3872 (RHSA-2026:6475 through RHSA-2026:6478).", "After applying the patch, verify that all custom redirect URIs are fully qualified and do not contain wildcards.", "Reload or restart the Keycloak service to apply configuration changes.", "Validate that the redirect URI validation now rejects malformed requests from unauthorized paths."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure (access token theft)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Red Hat build of Keycloak versions 26.2 and 26.4, including the 26.2.15 and 26.4.11 patch levels. Services running any of these Red Hat Keycloak builds are potentially exposed.", "description_and_impact": "A flaw in Keycloak allows an attacker who controls another web path on the same server to bypass redirect URI validation that uses wildcards, enabling the attacker to retrieve an access token and disclose sensitive information. This bypass aligns with the improper authorization weakness identified as CWE-601.", "risk_and_exploitability": "The flaw carries a CVSS score of 7.3, indicating high severity, while EPSS information is not available and it is not listed in the CISA KEV catalog. An attacker must control an alternate path on the same web server and supply a redirect URI containing a wildcard to exploit the logic flaw. The risk is moderate to high, with a realistic chance of successful exploitation in environments where wildcard redirect URIs are configured."}}}}, "created": "2026-04-02T20:12:44.444910+00:00", "updated": "2026-04-03T09:18:50.634890+00:00", "vendors": ["redhat", "redhat$PRODUCT$build_of_keycloak"]}