Plateforme
java
Composant
keycloak
Corrigé dans
26.2.16
26.2.16
26.2.16
26.4.15
CVE-2026-3872 describes an information disclosure vulnerability in Keycloak. This flaw allows an attacker controlling another path on the same web server to bypass redirect URI path restrictions, potentially leading to the theft of access tokens. The vulnerability impacts Keycloak versions 26.2.15 and later. A patch is available, and upgrading is the recommended remediation.
The core impact of CVE-2026-3872 lies in the potential for unauthorized access to sensitive information. An attacker who can control another path on the same web server as Keycloak can craft malicious redirect URIs that bypass the intended path restrictions. This bypass allows them to intercept and potentially steal access tokens, effectively gaining unauthorized access to resources protected by Keycloak. The blast radius extends to any application or service relying on Keycloak for authentication and authorization, as a compromised access token could be used to impersonate legitimate users and access protected data. This vulnerability shares similarities with other URI manipulation attacks where improper validation of redirect targets can lead to security breaches.
CVE-2026-3872 was publicly disclosed on 2026-04-02. The vulnerability's severity is rated as HIGH with a CVSS score of 7.3. Currently, there are no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog as of this writing, but its HIGH severity warrants ongoing monitoring.
Organizations using Keycloak for authentication and authorization, particularly those with complex redirect URI configurations or shared hosting environments, are at risk. Environments where multiple applications share the same web server hosting Keycloak are especially vulnerable, as an attacker could exploit a vulnerability in one application to compromise Keycloak's redirect URI validation.
• java / server:
# Check Keycloak logs for unusual redirect URI patterns
grep -i 'redirect_uri' /path/to/keycloak/logs/keycloak.log• generic web:
# Check for exposed Keycloak endpoints with potentially vulnerable redirect URIs
curl -I https://your-keycloak-instance/realms/your-realm/protocol/openid-connect/auth?client_id=your-client-id&response_type=code&redirect_uri=http://attacker.com/evildisclosure
Statut de l'Exploit
EPSS
0.03% (percentile 10%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-3872 is to upgrade Keycloak to a patched version. Since a specific fixed version is not provided, it's crucial to consult the official Keycloak security advisories for the latest recommended version. As a temporary workaround, consider implementing stricter input validation on redirect URIs, ensuring that they conform to expected patterns and are properly sanitized. Web Application Firewalls (WAFs) can be configured to block requests with suspicious redirect URIs. Monitor Keycloak logs for unusual redirect activity and implement alerting for potential bypass attempts.
Actualice Keycloak a la versión 26.2.16 o superior, o a la versión 26.4.15 o superior. Esta actualización corrige la vulnerabilidad al mejorar la validación de las URIs de redirección, previniendo el bypass del control de seguridad y protegiendo contra la posible divulgación de información.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-3872 is a HIGH severity vulnerability in Keycloak versions 26.2.15 and later that allows attackers to bypass redirect URI path restrictions, potentially stealing access tokens.
If you are running Keycloak version 26.2.15 or later, you are potentially affected by this vulnerability. Check the official Keycloak advisory for details.
Upgrade Keycloak to a patched version as soon as possible. Consult the official Keycloak security advisories for the latest recommended version.
As of now, there are no known public exploits or active campaigns targeting this vulnerability, but its HIGH severity warrants ongoing monitoring.
Refer to the official Keycloak security advisories on the Keycloak website for the most up-to-date information and guidance.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier pom.xml et nous te dirons instantanément si tu es affecté.