CVE-2026-4366

CWE-918 — Server-Side Request Forgery (SSRF)5 documents5 sources

Severity

5.8MEDIUM

EPSS

0.0%

top 90.89%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Enterprise Application Platform Redhat Single Sign-on

Timeline

PublishedMar 18

Description

A flaw was identified in Keycloak, an identity and access management solution, where it improperly follows HTTP redirects when processing certain client configuration requests. This behavior allows an attacker to trick the server into making unintended requests to internal or restricted resources. As a result, sensitive internal services such as cloud metadata endpoints could be accessed. This issue may lead to information disclosure and enable attackers to map internal network infrastructure.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶NVDredhat/single_sign-on7.0

▶NVDredhat/jboss_enterprise_application_platform8.0.0

🔴Vulnerability Details

GHSA

GHSA-g2qr-3mxm-86jj: A flaw was identified in Keycloak, an identity and access management solution, where it improperly follows HTTP redirects when processing certain clie↗2026-03-18

▶

CVEList

Keycloak-services: blind server-side request forgery (ssrf) via http redirect handling in keycloak↗2026-03-18

▶

📋Vendor Advisories

Red Hat

keycloak-services: Blind Server-Side Request Forgery (SSRF) via HTTP Redirect Handling in Keycloak↗2026-03-18

▶

🕵️Threat Intelligence

Wiz

CVE-2026-4366 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶