CVE-2026-4874

CWE-918 — Server-Side Request Forgery (SSRF)6 documents6 sources

Severity

3.1LOW

EPSS

0.0%

top 93.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Jboss Enterprise Application Platform Redhat Single Sign-on

Timeline

PublishedMar 26

Description

A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to inf…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 1.6 | Impact: 1.4

Affected Packages3 packages

▶Mavenorg.keycloak:keycloak-services26.5.6

▶NVDredhat/single_sign-on7.0

▶NVDredhat/jboss_enterprise_application_platform8.0.0

🔴Vulnerability Details

GHSA

Keycloak Server-Side Request Forgery via OIDC token endpoint manipulation↗2026-03-26

▶

CVEList

Org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: keycloak: server-side request forgery via oidc token endpoint manipulation↗2026-03-26

▶

OSV

Keycloak Server-Side Request Forgery via OIDC token endpoint manipulation↗2026-03-26

▶

📋Vendor Advisories

Red Hat

org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: Keycloak: Server-Side Request Forgery via OIDC token endpoint manipulation↗2026-03-26

▶

🕵️Threat Intelligence

Wiz

CVE-2026-4874 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶