CVE-2026-3872 — Keycloak: Redirect URI validation bypass via ..;/ path traversal in OIDC auth en

Description

A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure.

How to fix CVE-2026-3872

To remediate CVE-2026-3872, upgrade the affected package to a fixed version below.

—upgrade to 26.5.7 or later

Is CVE-2026-3872 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 26.5.7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-3872
PATCHgithub.com/keycloak/keycloak
WEBaccess.redhat.com/errata/RHSA-2026:6475
WEBaccess.redhat.com/errata/RHSA-2026:6476
WEBaccess.redhat.com