CVE-2026-3872: Keycloak Auth Bypass Vulnerability

CVE-2026-3872 Overview

A security flaw has been discovered in Keycloak, the popular open-source identity and access management solution. This vulnerability allows an attacker who controls another path on the same web server to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful exploitation of this issue may lead to the theft of an access token, resulting in information disclosure and potential account compromise.

Critical Impact
Attackers can bypass redirect URI validation to steal OAuth access tokens, potentially compromising user accounts and sensitive data protected by Keycloak authentication.

Affected Products

Keycloak (versions prior to patched releases)
Red Hat Single Sign-On (related products covered by RHSA advisories)
Red Hat Build of Keycloak

Discovery Timeline

April 2, 2026 - CVE-2026-3872 published to NVD
April 2, 2026 - Last updated in NVD database

Technical Details for CVE-2026-3872

Vulnerability Analysis

This vulnerability is classified as CWE-601 (URL Redirection to Untrusted Site, also known as Open Redirect). The flaw exists in Keycloak's redirect URI validation logic when wildcard patterns are used in the allowed redirect URI configuration.

Keycloak allows administrators to configure valid redirect URIs for OAuth/OIDC clients using wildcard patterns. However, the path validation logic contains a flaw that can be exploited when an attacker controls another path on the same web server. This allows the attacker to craft a malicious redirect URI that passes validation but redirects users to an attacker-controlled location.

The attack requires network access with low complexity but does need the attacker to have some level of authenticated access (low privileges) and user interaction to complete the attack chain.

Root Cause

The root cause lies in improper validation of redirect URIs containing wildcards. When Keycloak evaluates a redirect URI against a wildcard pattern, the matching logic does not properly constrain the path components, allowing an attacker who controls a path on the same server to construct URIs that bypass the intended restrictions.

This is a classic open redirect vulnerability pattern where insufficient validation of user-controlled input (the redirect URI) allows redirection to unintended destinations.

Attack Vector

The attack exploits the network-accessible OAuth/OIDC authentication flow in Keycloak. The attack scenario involves:

An attacker identifies a Keycloak client configured with a wildcard redirect URI pattern
The attacker, controlling another path on the same web server, crafts a malicious redirect URI that matches the wildcard pattern but points to their controlled path
A victim user is tricked into initiating an authentication flow with the crafted redirect URI
Upon successful authentication, Keycloak redirects the user to the attacker-controlled path with the access token
The attacker captures the access token and can impersonate the victim

The vulnerability requires user interaction as the victim must click on a malicious link or be redirected through the crafted authentication flow.

Detection Methods for CVE-2026-3872

Indicators of Compromise

Unusual redirect URI patterns in authentication logs that match wildcard configurations but redirect to unexpected paths
Access token grants followed by immediate requests from different IP addresses or geographic locations
Authentication flows completing successfully but with redirect URIs to paths not typically associated with legitimate application flows
Increased OAuth callback requests to uncommon paths on the server

Detection Strategies

Monitor Keycloak authentication logs for redirect URIs that match wildcard patterns but redirect to unexpected or suspicious paths
Implement alerting on authentication token grants where the redirect destination differs from known legitimate application endpoints
Review client configurations for overly permissive wildcard redirect URI patterns
Deploy web application firewall (WAF) rules to detect and block suspicious redirect patterns in OAuth flows

Monitoring Recommendations

Enable detailed logging for OAuth/OIDC authentication flows in Keycloak
Monitor for anomalous access token usage patterns that may indicate token theft
Review audit logs for client configuration changes, particularly to redirect URI settings
Implement session monitoring to detect token reuse from different network locations

How to Mitigate CVE-2026-3872

Immediate Actions Required

Review all Keycloak client configurations and identify those using wildcard redirect URI patterns
Replace overly broad wildcard patterns with explicit, fully-qualified redirect URIs where possible
Apply the latest security patches from Red Hat advisories immediately
Audit existing access tokens and consider invalidating sessions if compromise is suspected

Patch Information

Red Hat has released multiple security advisories addressing this vulnerability:

For additional details, refer to the Red Hat CVE Analysis for CVE-2026-3872 and Red Hat Bug Report #2445988.

Workarounds

Replace wildcard redirect URI patterns with explicit, fully-qualified URIs for all OAuth/OIDC clients
Implement additional redirect URI validation at the application layer before accepting tokens
Use the most restrictive redirect URI patterns possible, avoiding wildcards when feasible
Consider implementing PKCE (Proof Key for Code Exchange) for additional protection against token interception

bash

# Example: Review Keycloak client configurations for wildcard redirect URIs
# Connect to Keycloak admin CLI and list clients with wildcard patterns
./kcadm.sh get clients -r your-realm --fields clientId,redirectUris | grep -E '\*'

# Update client to use explicit redirect URI instead of wildcard
./kcadm.sh update clients/CLIENT_ID -r your-realm -s 'redirectUris=["https://app.example.com/callback"]'

CVE-2026-3872 Overview

Critical Impact
Attackers can bypass redirect URI validation to steal OAuth access tokens, potentially compromising user accounts and sensitive data protected by Keycloak authentication.

Affected Products

Keycloak (versions prior to patched releases)
Red Hat Single Sign-On (related products covered by RHSA advisories)
Red Hat Build of Keycloak

Discovery Timeline

April 2, 2026 - CVE-2026-3872 published to NVD
April 2, 2026 - Last updated in NVD database

Technical Details for CVE-2026-3872

Vulnerability Analysis

The attack requires network access with low complexity but does need the attacker to have some level of authenticated access (low privileges) and user interaction to complete the attack chain.

Root Cause

This is a classic open redirect vulnerability pattern where insufficient validation of user-controlled input (the redirect URI) allows redirection to unintended destinations.

Attack Vector

The attack exploits the network-accessible OAuth/OIDC authentication flow in Keycloak. The attack scenario involves:

An attacker identifies a Keycloak client configured with a wildcard redirect URI pattern
The attacker, controlling another path on the same web server, crafts a malicious redirect URI that matches the wildcard pattern but points to their controlled path
A victim user is tricked into initiating an authentication flow with the crafted redirect URI
Upon successful authentication, Keycloak redirects the user to the attacker-controlled path with the access token
The attacker captures the access token and can impersonate the victim

The vulnerability requires user interaction as the victim must click on a malicious link or be redirected through the crafted authentication flow.

Detection Methods for CVE-2026-3872

Indicators of Compromise

Unusual redirect URI patterns in authentication logs that match wildcard configurations but redirect to unexpected paths
Access token grants followed by immediate requests from different IP addresses or geographic locations
Authentication flows completing successfully but with redirect URIs to paths not typically associated with legitimate application flows
Increased OAuth callback requests to uncommon paths on the server

Detection Strategies

Monitor Keycloak authentication logs for redirect URIs that match wildcard patterns but redirect to unexpected or suspicious paths
Implement alerting on authentication token grants where the redirect destination differs from known legitimate application endpoints
Review client configurations for overly permissive wildcard redirect URI patterns
Deploy web application firewall (WAF) rules to detect and block suspicious redirect patterns in OAuth flows

Monitoring Recommendations

Enable detailed logging for OAuth/OIDC authentication flows in Keycloak
Monitor for anomalous access token usage patterns that may indicate token theft
Review audit logs for client configuration changes, particularly to redirect URI settings
Implement session monitoring to detect token reuse from different network locations

How to Mitigate CVE-2026-3872

Immediate Actions Required

Review all Keycloak client configurations and identify those using wildcard redirect URI patterns
Replace overly broad wildcard patterns with explicit, fully-qualified redirect URIs where possible
Apply the latest security patches from Red Hat advisories immediately
Audit existing access tokens and consider invalidating sessions if compromise is suspected

Patch Information

Red Hat has released multiple security advisories addressing this vulnerability:

For additional details, refer to the Red Hat CVE Analysis for CVE-2026-3872 and Red Hat Bug Report #2445988.

Workarounds

Replace wildcard redirect URI patterns with explicit, fully-qualified URIs for all OAuth/OIDC clients
Implement additional redirect URI validation at the application layer before accepting tokens
Use the most restrictive redirect URI patterns possible, avoiding wildcards when feasible
Consider implementing PKCE (Proof Key for Code Exchange) for additional protection against token interception

bash

# Example: Review Keycloak client configurations for wildcard redirect URIs
# Connect to Keycloak admin CLI and list clients with wildcard patterns
./kcadm.sh get clients -r your-realm --fields clientId,redirectUris | grep -E '\*'

# Update client to use explicit redirect URI instead of wildcard
./kcadm.sh update clients/CLIENT_ID -r your-realm -s 'redirectUris=["https://app.example.com/callback"]'

CVE-2026-3872: Keycloak Auth Bypass Vulnerability

CVE-2026-3872 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-3872

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-3872

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-3872

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2026-3872: Keycloak Auth Bypass Vulnerability

CVE-2026-3872 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2026-3872

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2026-3872

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2026-3872

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform