A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure.
PUBLISHED5.2CWE-918
Org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: keycloak: server-side request forgery via oidc token endpoint manipulation
Problem type
Affected products
Red Hat
Red Hat Build of Keycloak
Red Hat Build of Keycloak
Red Hat Build of Keycloak
Red Hat JBoss Enterprise Application Platform 8
Red Hat JBoss Enterprise Application Platform Expansion Pack
Red Hat Single Sign-On 7
References
access.redhat.com
https://access.redhat.com/security/cve/CVE-2026-4874
RHBZ#2451611
https://bugzilla.redhat.com/show_bug.cgi?id=2451611
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-4874Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-4874",
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"dateUpdated": "2026-03-26T13:54:08.137Z",
"dateReserved": "2026-03-26T05:47:45.449Z",
"datePublished": "2026-03-26T07:12:37.545Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat",
"dateUpdated": "2026-03-26T07:23:12.550Z"
},
"datePublic": "2026-03-26T05:56:03.440Z",
"title": "Org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: keycloak: server-side request forgery via oidc token endpoint manipulation",
"descriptions": [
{
"lang": "en",
"value": "A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure."
}
],
"affected": [
{
"vendor": "Red Hat",
"product": "Red Hat Build of Keycloak",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "rhbk/keycloak-operator-bundle",
"cpes": [
"cpe:/a:redhat:build_keycloak:"
],
"defaultStatus": "affected"
},
{
"vendor": "Red Hat",
"product": "Red Hat Build of Keycloak",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "rhbk/keycloak-rhel9",
"cpes": [
"cpe:/a:redhat:build_keycloak:"
],
"defaultStatus": "affected"
},
{
"vendor": "Red Hat",
"product": "Red Hat Build of Keycloak",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "rhbk/keycloak-rhel9-operator",
"cpes": [
"cpe:/a:redhat:build_keycloak:"
],
"defaultStatus": "affected"
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform 8",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "keycloak-services",
"cpes": [
"cpe:/a:redhat:jboss_enterprise_application_platform:8"
],
"defaultStatus": "affected"
},
{
"vendor": "Red Hat",
"product": "Red Hat JBoss Enterprise Application Platform Expansion Pack",
"collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html",
"packageName": "keycloak-services",
"cpes": [
"cpe:/a:redhat:jbosseapxp"
],
"defaultStatus": "affected"
},
{
"vendor": "Red Hat",
"product": "Red Hat Single Sign-On 7",
"collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
"packageName": "keycloak-services",
"cpes": [
"cpe:/a:redhat:red_hat_single_sign_on:7"
],
"defaultStatus": "affected"
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "Server-Side Request Forgery (SSRF)",
"cweId": "CWE-918",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://access.redhat.com/security/cve/CVE-2026-4874",
"tags": [
"vdb-entry",
"x_refsource_REDHAT"
]
},
{
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451611",
"name": "RHBZ#2451611",
"tags": [
"issue-tracking",
"x_refsource_REDHAT"
]
}
],
"metrics": [
{},
{
"format": "CVSS",
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
"attackVector": "NETWORK",
"attackComplexity": "HIGH",
"privilegesRequired": "LOW",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"availabilityImpact": "NONE",
"baseScore": 3.1,
"baseSeverity": "LOW"
}
}
],
"workarounds": [
{
"lang": "en",
"value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."
}
],
"timeline": [
{
"time": "2026-03-26T05:51:10.233Z",
"lang": "en",
"value": "Reported to Red Hat."
},
{
"time": "2026-03-26T05:56:03.440Z",
"lang": "en",
"value": "Made public."
}
],
"credits": [
{
"lang": "en",
"value": "Red Hat would like to thank Evan Hendra (Independent Security Researcher) for reporting this issue."
}
]
},
"adp": [
{
"providerMetadata": {
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP",
"dateUpdated": "2026-03-26T13:54:08.137Z"
},
"title": "CISA ADP Vulnrichment",
"metrics": [
{}
]
}
]
}
}