PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-3872 Red Hat CVE debrief

A flaw was found in Keycloak, which allows an attacker controlling another path on the same web server to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. This issue, CVE-2026-3872, has a CVSS score of 7.3 and is considered high severity. A successful attack could lead to the theft of an access token, resulting in information disclosure. The vulnerability was published on April 2, 2026, and last modified on June 30, 2026. The CVE record and NVD detail provide further information on this vulnerability.

Vendor
Red Hat
Product
Red Hat build of Keycloak 26.2
CVSS
HIGH 7.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-02
Original CVE updated
2026-06-30
Advisory published
2026-04-02
Advisory updated
2026-06-30

Who should care

Organizations using Keycloak for authentication and authorization should prioritize patching this vulnerability. Attackers could exploit this issue to gain unauthorized access to sensitive information. Security teams should review their Keycloak deployments and apply patches or mitigations as recommended by the vendor.

Technical summary

CVE-2026-3872 is a vulnerability in Keycloak that allows an attacker to bypass allowed paths in redirect URIs. The issue arises from the handling of wildcard URIs, which could be exploited by an attacker controlling another path on the same web server. This could lead to the theft of access tokens and information disclosure. The vulnerability is classified under CWE-601. Keycloak versions 26.2, 26.2.15, 26.4, and 26.4.11 are affected.

Defensive priority

High priority should be given to patching Keycloak deployments. Security teams should review their inventory and apply patches or mitigations as recommended by Redhat.

Recommended defensive actions

  • Review Keycloak deployments and apply patches or mitigations as recommended by Redhat.
  • Implement additional monitoring and logging to detect potential exploitation attempts.
  • Review and update security policies and procedures to address this vulnerability.
  • Consider implementing compensating controls, such as additional authentication or authorization checks.
  • Verify that Keycloak configurations are properly secured and follow best practices.

Evidence notes

The CVE record and NVD detail provide information on this vulnerability. Redhat has provided several errata and advisories related to this issue, including RHSA-2026:6475, RHSA-2026:6476, RHSA-2026:6477, and RHSA-2026:6478. The bugzilla.redhat.com entry with ID 2445988 also provides additional context.

Official resources

This article is AI-assisted and based on the supplied source corpus.