CVE-2026-4874 PUBLISHED

Org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: keycloak: server-side request forgery via oidc token endpoint manipulation

Assigner: redhat
Reserved: 26.03.2026 Published: 26.03.2026 Updated: 26.03.2026

A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the client_session_host parameter during refresh token requests. This occurs when a Keycloak client is configured to use the backchannel.logout.url with the application.session.host placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
CVSS Score: 3.1

Product Status

Vendor Red Hat
Product Red Hat Build of Keycloak
Versions Default: affected
Vendor Red Hat
Product Red Hat Build of Keycloak
Versions Default: affected
Vendor Red Hat
Product Red Hat Build of Keycloak
Versions Default: affected
Vendor Red Hat
Product Red Hat JBoss Enterprise Application Platform 8
Versions Default: affected
Vendor Red Hat
Product Red Hat JBoss Enterprise Application Platform Expansion Pack
Versions Default: affected
Vendor Red Hat
Product Red Hat Single Sign-On 7
Versions Default: affected

Workarounds

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Credits

  • Red Hat would like to thank Evan Hendra (Independent Security Researcher) for reporting this issue.

References

Problem Types

  • Server-Side Request Forgery (SSRF) CWE