CVE-2026-3872

high

Description

A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure.

References

Advisories
More

https://access.redhat.com/errata/RHSA-2026:6478

https://access.redhat.com/errata/RHSA-2026:6477

https://bugzilla.redhat.com/show_bug.cgi?id=2445988

https://access.redhat.com/security/cve/CVE-2026-3872

Details

Source: Mitre, NVD

Published: 2026-04-02

Updated: 2026-04-02

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 7.3

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Severity: High