PatchSiren cyber security CVE debrief
CVE-2026-3872 Red Hat CVE debrief
A flaw was found in Keycloak, which allows an attacker controlling another path on the same web server to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. This issue, CVE-2026-3872, has a CVSS score of 7.3 and is considered high severity. A successful attack could lead to the theft of an access token, resulting in information disclosure. The vulnerability was published on April 2, 2026, and last modified on June 30, 2026. The CVE record and NVD detail provide further information on this vulnerability.
- Vendor
- Red Hat
- Product
- Red Hat build of Keycloak 26.2
- CVSS
- HIGH 7.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-02
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-04-02
- Advisory updated
- 2026-06-30
Who should care
Organizations using Keycloak for authentication and authorization should prioritize patching this vulnerability. Attackers could exploit this issue to gain unauthorized access to sensitive information. Security teams should review their Keycloak deployments and apply patches or mitigations as recommended by the vendor.
Technical summary
CVE-2026-3872 is a vulnerability in Keycloak that allows an attacker to bypass allowed paths in redirect URIs. The issue arises from the handling of wildcard URIs, which could be exploited by an attacker controlling another path on the same web server. This could lead to the theft of access tokens and information disclosure. The vulnerability is classified under CWE-601. Keycloak versions 26.2, 26.2.15, 26.4, and 26.4.11 are affected.
Defensive priority
High priority should be given to patching Keycloak deployments. Security teams should review their inventory and apply patches or mitigations as recommended by Redhat.
Recommended defensive actions
- Review Keycloak deployments and apply patches or mitigations as recommended by Redhat.
- Implement additional monitoring and logging to detect potential exploitation attempts.
- Review and update security policies and procedures to address this vulnerability.
- Consider implementing compensating controls, such as additional authentication or authorization checks.
- Verify that Keycloak configurations are properly secured and follow best practices.
Evidence notes
The CVE record and NVD detail provide information on this vulnerability. Redhat has provided several errata and advisories related to this issue, including RHSA-2026:6475, RHSA-2026:6476, RHSA-2026:6477, and RHSA-2026:6478. The bugzilla.redhat.com entry with ID 2445988 also provides additional context.
Official resources
-
CVE-2026-3872 CVE record
CVE.org
-
CVE-2026-3872 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Vendor Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.