Is Open Redirect affected by EUVD-2026-18206?

Red Hat Build of Keycloak contains an open redirect vulnerability (CVE-2026-3872) that allows authenticated attackers to bypass OAuth redirect validation and steal access tokens when Keycloak shares a web server with attacker-controlled paths.

EUVD-2026-18206

| CVE-2026-3872 HIGH

2026-04-02 redhat

GHSA-cjm2-j6cm-6p6m

7.3

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Patch Released

Apr 04, 2026 - 08:30 nvd

Patch available

Analysis Generated

Apr 02, 2026 - 13:15 vuln.today

EUVD ID Assigned

Apr 02, 2026 - 13:15 euvd

EUVD-2026-18206

CVE Published

Apr 02, 2026 - 12:37 nvd

HIGH 7.3

Description

A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure.

Analysis

Open redirect in Red Hat Build of Keycloak allows authenticated attackers with control over another path on the same web server to bypass wildcard-based redirect URI validation and steal OAuth access tokens. Attack requires low complexity and user interaction (CVSS 7.3). …

Remediation

Within 24 hours: Inventory all Keycloak deployments and document which instances share web servers with user-controllable or third-party content paths. Within 7 days: Implement strict redirect URI whitelisting (exact matching, not wildcards) and disable any unnecessary path hosting on shared servers; review Keycloak authentication logs for suspicious redirect attempts. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +36

POC: 0

EUVD-2026-18206 vulnerability details – vuln.today

Back

EUVD-2026-18206

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

EUVD-2026-18206

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code