Platform
java
Component
keycloak
Fixed in
26.2.16
26.2.16
26.2.16
26.4.15
CVE-2026-3872 describes an information disclosure vulnerability in Keycloak. This flaw allows an attacker controlling another path on the same web server to bypass redirect URI path restrictions, potentially leading to the theft of access tokens. The vulnerability impacts Keycloak versions 26.2.15 and later. A patch is available, and upgrading is the recommended remediation.
The core impact of CVE-2026-3872 lies in the potential for unauthorized access to sensitive information. An attacker who can control another path on the same web server as Keycloak can craft malicious redirect URIs that bypass the intended path restrictions. This bypass allows them to intercept and potentially steal access tokens, effectively gaining unauthorized access to resources protected by Keycloak. The blast radius extends to any application or service relying on Keycloak for authentication and authorization, as a compromised access token could be used to impersonate legitimate users and access protected data. This vulnerability shares similarities with other URI manipulation attacks where improper validation of redirect targets can lead to security breaches.
CVE-2026-3872 was publicly disclosed on 2026-04-02. The vulnerability's severity is rated as HIGH with a CVSS score of 7.3. Currently, there are no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog as of this writing, but its HIGH severity warrants ongoing monitoring.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-3872 is to upgrade Keycloak to a patched version. Since a specific fixed version is not provided, it's crucial to consult the official Keycloak security advisories for the latest recommended version. As a temporary workaround, consider implementing stricter input validation on redirect URIs, ensuring that they conform to expected patterns and are properly sanitized. Web Application Firewalls (WAFs) can be configured to block requests with suspicious redirect URIs. Monitor Keycloak logs for unusual redirect activity and implement alerting for potential bypass attempts.
Update Keycloak to version 26.2.16 or later, or to version 26.4.15 or later. This update fixes the vulnerability by improving redirect URI validation, preventing the security control bypass and protecting against potential information disclosure.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-3872 is a HIGH severity vulnerability in Keycloak versions 26.2.15 and later that allows attackers to bypass redirect URI path restrictions, potentially stealing access tokens.
If you are running Keycloak version 26.2.15 or later, you are potentially affected by this vulnerability. Check the official Keycloak advisory for details.
Upgrade Keycloak to a patched version as soon as possible. Consult the official Keycloak security advisories for the latest recommended version.
As of now, there are no known public exploits or active campaigns targeting this vulnerability, but its HIGH severity warrants ongoing monitoring.
Refer to the official Keycloak security advisories on the Keycloak website for the most up-to-date information and guidance.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.