CVE-2026-3872: Keycloak: Redirect URI validation bypass via ..;/ path traversal in OIDC auth endpoint
(updated )
A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure.
References
- access.redhat.com/errata/RHSA-2026:6475
- access.redhat.com/errata/RHSA-2026:6476
- access.redhat.com/errata/RHSA-2026:6477
- access.redhat.com/errata/RHSA-2026:6478
- access.redhat.com/security/cve/CVE-2026-3872
- bugzilla.redhat.com/show_bug.cgi?id=2445988
- github.com/advisories/GHSA-cjm2-j6cm-6p6m
- github.com/keycloak/keycloak
- github.com/keycloak/keycloak/commit/35a71b00bc856ac402711130f60190d3a24795e7
- github.com/keycloak/keycloak/issues/47718
- nvd.nist.gov/vuln/detail/CVE-2026-3872
Code Behaviors & Features
Detect and mitigate CVE-2026-3872 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →