HIGHCVE-2026-3872Published Modified CNA redhat
CVE-2026-3872: Keycloak: keycloak: information disclosure due to redirect_uri validation bypass
A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure.
Metrics
- CVSS v3.1
- 7.3
- Severity
- HIGH
- Fixed in
- 26.2.15-1
- Affected Products
- 8
Fix available
26.2.15-126.2-1826.4.11-126.4-14
Affected packages
- Red Hat / Red Hat build of Keycloak 26.2Fixed in 26.2.15-1
- Red Hat / Red Hat build of Keycloak 26.2Fixed in 26.2-18
- Red Hat / Red Hat build of Keycloak 26.2Fixed in 26.2-18
- Red Hat / Red Hat build of Keycloak 26.2.15
- Red Hat / Red Hat build of Keycloak 26.4Fixed in 26.4.11-1
- Red Hat / Red Hat build of Keycloak 26.4Fixed in 26.4-14
- Red Hat / Red Hat build of Keycloak 26.4Fixed in 26.4-14
- Red Hat / Red Hat build of Keycloak 26.4.11
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N