CVE-2026-3872 is an open redirect vulnerability identified in the Red Hat Build of Keycloak, an open-source identity and access management solution widely used for authentication and authorization. The issue arises due to improper validation of redirect URIs that use wildcard patterns. Specifically, an attacker who controls another path on the same web server can bypass the allowed path restrictions in redirect URIs. This bypass enables the attacker to craft malicious redirect links that appear legitimate but redirect users to untrusted sites controlled by the attacker. The primary risk is the theft of access tokens, which can occur if a user follows such a malicious redirect and the attacker captures the token. Access tokens are critical for maintaining authenticated sessions and authorizing access to protected resources. The vulnerability requires the attacker to have low privileges on the server (PR:L) and user interaction (UI:R) to succeed, but it does not require high complexity or advanced conditions. The vulnerability impacts confidentiality and integrity but does not affect availability. The CVSS v3.1 base score is 7.3, reflecting a high severity level. No known exploits have been reported in the wild yet, but the potential impact is significant given the sensitive nature of access tokens. The vulnerability was reserved in early March 2026 and published in April 2026. No patches or mitigations have been explicitly linked yet, but standard best practices for redirect URI validation and upcoming vendor patches are expected.

The exploitation of CVE-2026-3872 can lead to the theft of access tokens, which compromises user session confidentiality and integrity. Attackers gaining access to these tokens can impersonate legitimate users, escalate privileges, and access sensitive data or systems protected by Keycloak. This can result in unauthorized data disclosure, potential lateral movement within networks, and undermining of trust in authentication mechanisms. Organizations relying on Keycloak for identity management, especially those handling sensitive or regulated data, face increased risk of data breaches and compliance violations. The vulnerability does not impact system availability directly but can have cascading effects on business operations due to compromised credentials and unauthorized access. The requirement for user interaction means phishing or social engineering may be used to exploit this flaw, increasing the attack surface. Given Keycloak's widespread use in enterprise and cloud environments, the impact is broad and significant.

Organizations should immediately review and tighten the validation logic for redirect URIs in their Keycloak deployments, avoiding the use of wildcards where possible. Implement strict allowlists for redirect URIs and ensure that only fully qualified, trusted URLs are accepted. Monitor and audit redirect URI configurations to detect any unauthorized changes or suspicious patterns. Educate users about the risks of clicking on unexpected or suspicious links, especially those involving authentication redirects. Apply any patches or updates released by Red Hat promptly once available. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block suspicious redirect attempts. Additionally, implement multi-factor authentication (MFA) to reduce the risk of token misuse. Conduct regular security assessments and penetration testing focused on authentication flows to identify similar weaknesses. Finally, monitor logs for unusual token usage patterns that may indicate exploitation attempts.