Publish Advisories

GHSA-cjm2-j6cm-6p6m
GHSA-rx66-hj7g-28h7

Author: advisory-database[bot]

…-cjm2-j6cm-6p6m/GHSA-cjm2-j6cm-6p6m.json …-cjm2-j6cm-6p6m/GHSA-cjm2-j6cm-6p6m.jsonadvisories/unreviewed/2026/04/GHSA-cjm2-j6cm-6p6m/GHSA-cjm2-j6cm-6p6m.json renamed to advisories/github-reviewed/2026/04/GHSA-cjm2-j6cm-6p6m/GHSA-cjm2-j6cm-6p6m.json advisories/unreviewed/2026/04/GHSA-cjm2-j6cm-6p6m/GHSA-cjm2-j6cm-6p6m.json renamed to advisories/github-reviewed/2026/04/GHSA-cjm2-j6cm-6p6m/GHSA-cjm2-j6cm-6p6m.json

@@ -1,24 +1,53 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-cjm2-j6cm-6p6m",
-  "modified": "2026-04-02T18:31:37Z",
+  "modified": "2026-04-04T05:59:35Z",
   "published": "2026-04-02T15:31:38Z",
   "aliases": [
     "CVE-2026-3872"
   ],
+  "summary": "Keycloak: Redirect URI validation bypass via ..;/ path traversal in OIDC auth endpoint",
   "details": "A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting in information disclosure.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.keycloak:keycloak-services"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "26.5.7"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3872"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/keycloak/keycloak/issues/47718"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/keycloak/keycloak/commit/35a71b00bc856ac402711130f60190d3a24795e7"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2026:6475"
@@ -42,15 +71,19 @@
     {
       "type": "WEB",
       "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2445988"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/keycloak/keycloak"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-601"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-04T05:59:35Z",
     "nvd_published_at": "2026-04-02T13:16:26Z"
   }
 }

…-rx66-hj7g-28h7/GHSA-rx66-hj7g-28h7.json …-rx66-hj7g-28h7/GHSA-rx66-hj7g-28h7.jsonadvisories/unreviewed/2026/04/GHSA-rx66-hj7g-28h7/GHSA-rx66-hj7g-28h7.json renamed to advisories/github-reviewed/2026/04/GHSA-rx66-hj7g-28h7/GHSA-rx66-hj7g-28h7.json advisories/unreviewed/2026/04/GHSA-rx66-hj7g-28h7/GHSA-rx66-hj7g-28h7.json renamed to advisories/github-reviewed/2026/04/GHSA-rx66-hj7g-28h7/GHSA-rx66-hj7g-28h7.json

@@ -1,24 +1,53 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rx66-hj7g-28h7",
-  "modified": "2026-04-02T18:31:37Z",
+  "modified": "2026-04-04T05:58:45Z",
   "published": "2026-04-02T15:31:39Z",
   "aliases": [
     "CVE-2026-4325"
   ],
+  "summary": "Keycloak: Replay of action tokens via improper handling of single-use entries",
   "details": "A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password reset links. This could lead to unauthorized access or account compromise.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.keycloak:keycloak-services"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "26.5.7"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4325"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/keycloak/keycloak/issues/47715"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/keycloak/keycloak/commit/9046f201125a6fd6be9c116b99d348509d99d4a5"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2026:6475"
@@ -42,15 +71,19 @@
     {
       "type": "WEB",
       "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2448351"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/keycloak/keycloak"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-653"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-04T05:58:45Z",
     "nvd_published_at": "2026-04-02T13:16:26Z"
   }
 }