Path Traversal Vulnerability in Keycloak by Red Hat
CVE-2026-3872

7.3HIGH

Key Information:

Vendor

Red Hat
Status
Red Hat Build Of Keycloak 26.2
Red Hat Build Of Keycloak 26.2.15
Red Hat Build Of Keycloak 26.4
Red Hat Build Of Keycloak 26.4.11
Vendor
CVE Published:
2 April 2026

What is CVE-2026-3872?

A significant flaw has been identified in Keycloak that enables an attacker to manipulate redirect URIs using wildcards. If an attacker controls a different path on the same server, they can bypass existing protections, potentially leading to unauthorized access and the theft of access tokens. This may result in sensitive information being disclosed, thus compromising user security and data confidentiality.

Affected Version(s)

Red Hat build of Keycloak 26.2 26.2.15-1

Red Hat build of Keycloak 26.2 26.2-18

Red Hat build of Keycloak 26.2 26.2-18

References

https://access.redhat.com/errata/RHSA-2026:6475
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:6476
vendor-advisoryx_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2026:6477
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.