{ "threat_severity" : "Important", "public_date" : "2026-04-02T12:30:00Z", "bugzilla" : { "description" : "keycloak: Keycloak: Information disclosure due to redirect_uri validation bypass", "id" : "2445988", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2445988" }, "cvss3" : { "cvss3_base_score" : "7.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-601", "details" : [ "A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure.", "A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure." ], "statement" : "This is an Important information disclosure flaw in Keycloak's `redirect_uri` validation logic. An attacker controlling another path on the same web server could bypass allowed paths in wildcard `redirect_uri` configurations, potentially leading to access token theft. This affects Red Hat Build of Keycloak (RHBK) versions rhbk-26.2 and rhbk-26.4. Red Hat Build of Keycloak (RHBK) version rhbk-26 is not affected.", "acknowledgement" : "Red Hat would like to thank Meeranh for reporting this issue.", "affected_release" : [ { "product_name" : "Red Hat build of Keycloak 26.2", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6476", "cpe" : "cpe:/a:redhat:build_keycloak:26.2::el9", "package" : "rhbk/keycloak-operator-bundle:26.2.15-1" }, { "product_name" : "Red Hat build of Keycloak 26.2", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6476", "cpe" : "cpe:/a:redhat:build_keycloak:26.2::el9", "package" : "rhbk/keycloak-rhel9:26.2-18" }, { "product_name" : "Red Hat build of Keycloak 26.2", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6476", "cpe" : "cpe:/a:redhat:build_keycloak:26.2::el9", "package" : "rhbk/keycloak-rhel9-operator:26.2-18" }, { "product_name" : "Red Hat build of Keycloak 26.2.15", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6475", "cpe" : "cpe:/a:redhat:build_keycloak:26.2::el9", "package" : "rhbk/keycloak-rhel9" }, { "product_name" : "Red Hat build of Keycloak 26.4", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6478", "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9", "package" : "rhbk/keycloak-operator-bundle:26.4.11-1" }, { "product_name" : "Red Hat build of Keycloak 26.4", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6478", "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9", "package" : "rhbk/keycloak-rhel9:26.4-14" }, { "product_name" : "Red Hat build of Keycloak 26.4", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6478", "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9", "package" : "rhbk/keycloak-rhel9-operator:26.4-14" }, { "product_name" : "Red Hat build of Keycloak 26.4.11", "release_date" : "2026-04-02T00:00:00Z", "advisory" : "RHSA-2026:6477", "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9", "package" : "rhbk/keycloak-rhel9" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-3872\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-3872" ], "name" : "CVE-2026-3872", "mitigation" : { "value" : "To mitigate this vulnerability, avoid using wildcards in `redirect_uri` configurations within Keycloak. Restricting `redirect_uri` to explicit, fully qualified URIs prevents the bypass of validation logic. This configuration change may require a service restart or reload to take effect.", "lang" : "en:us" }, "csaw" : false }