What is the CVSS score of CVE-2026-3872?

CVE-2026-3872 has a CVSS 3.1 base score of 7.3 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Open Redirect are affected by CVE-2026-3872?

Red Hat Build of Keycloak contains an open redirect vulnerability (CVE-2026-3872) that allows authenticated attackers to bypass OAuth redirect validation and steal access tokens when Keycloak shares…. A patch is available.

Open Redirect CVE-2026-3872

EUVD-2026-18206 HIGH

URL Redirection to Untrusted Site (Open Redirect) (CWE-601)

2026-04-02 redhat

GHSA-cjm2-j6cm-6p6m

Information Disclosure Open Redirect Red Hat

7.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Re-analysis Queued

Apr 16, 2026 - 21:07 vuln.today

cvss_changed

Patch released

Apr 04, 2026 - 08:30 nvd

Patch available

EUVD ID Assigned

Apr 02, 2026 - 13:15 euvd

EUVD-2026-18206

Analysis Generated

Apr 02, 2026 - 13:15 vuln.today

CVE Published

Apr 02, 2026 - 12:37 nvd

HIGH 7.3

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

53 maven packages depend on org.keycloak:keycloak-services (25 direct, 28 indirect)

Ecosystem-wide dependent count for version 26.5.7.

DescriptionNVD

A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure.

AnalysisAI

Open redirect in Red Hat Build of Keycloak allows authenticated attackers with control over another path on the same web server to bypass wildcard-based redirect URI validation and steal OAuth access tokens. Attack requires low complexity and user interaction (CVSS 7.3). …

RemediationAI

Within 24 hours: Inventory all Keycloak deployments and document which instances share web servers with user-controllable or third-party content paths. Within 7 days: Implement strict redirect URI whitelisting (exact matching, not wildcards) and disable any unnecessary path hosting on shared servers; review Keycloak authentication logs for suspicious redirect attempts. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory