{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-3872/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-3872"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["keycloak","redirect-uri-bypass","cve-2026-3872","authentication","authorization"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-3872 is a security flaw found in Keycloak, a popular open-source identity and access management solution. This vulnerability allows a malicious actor who has control over another path on the same web server hosting Keycloak to circumvent the allowed path restrictions in redirect URIs that use a wildcard. By exploiting this weakness, an attacker can potentially redirect a user to a malicious site after authentication, intercept the access token, and gain unauthorized access to the user\u0026rsquo;s resources. The vulnerability could lead to the disclosure of sensitive information and potentially compromise user accounts. This was published on April 2, 2026, and has a CVSS v3.1 score of 7.3.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains control of a path on the same web server hosting the Keycloak instance. This could be achieved through various means, such as exploiting a separate vulnerability in another application hosted on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL that exploits the wildcard redirect URI validation flaw in Keycloak. The crafted URL includes a redirect URI that bypasses the intended restrictions.\u003c/li\u003e\n\u003cli\u003eA legitimate user initiates an authentication request to Keycloak, potentially through a vulnerable application relying on Keycloak for authentication.\u003c/li\u003e\n\u003cli\u003eKeycloak processes the authentication request and, due to the vulnerability, accepts the attacker\u0026rsquo;s crafted redirect URI as valid.\u003c/li\u003e\n\u003cli\u003eKeycloak redirects the user to the attacker-controlled URL after successful authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server captures the access token from the redirect URI.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen access token to impersonate the user and access protected resources.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive information or performs actions on behalf of the user, leading to information disclosure or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3872 can lead to the theft of access tokens, enabling unauthorized access to user accounts and sensitive data. This could result in the compromise of user privacy, financial loss, or reputational damage for organizations relying on affected Keycloak instances. The impact is significant because Keycloak is used across various sectors to secure web applications and APIs.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patches or updates provided by Red Hat for Keycloak to address CVE-2026-3872. Refer to the Red Hat advisory linked in the references for specific instructions.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect exploitation attempts of CVE-2026-3872 based on suspicious redirect URIs in web server logs.\u003c/li\u003e\n\u003cli\u003eReview and harden the configuration of redirect URIs in Keycloak, avoiding the use of wildcards where possible and implementing stricter validation rules.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to redirect URIs, looking for unusual patterns or attempts to access unauthorized resources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T13:16:26Z","date_published":"2026-04-02T13:16:26Z","id":"/briefs/2026-04-keycloak-redirect-bypass/","summary":"CVE-2026-3872 is a vulnerability in Keycloak that allows an attacker controlling a path on the same web server to bypass URI redirect validation using a wildcard, potentially leading to access token theft and information disclosure.","title":"Keycloak Redirect URI Bypass Vulnerability (CVE-2026-3872)","url":"https://feed.craftedsignal.io/briefs/2026-04-keycloak-redirect-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-3872","version":"https://jsonfeed.org/version/1.1"}