CVE-2026-1180 is a medium severity SSRF vulnerability identified in the Red Hat Build of Keycloak, specifically within the OpenID Connect Dynamic Client Registration feature when clients authenticate using the private_key_jwt method. The vulnerability arises because Keycloak allows clients to specify an arbitrary JSON Web Key Set URI (jwks_uri) without validating the destination URL. Consequently, an attacker can manipulate the jwks_uri to force the Keycloak server to make HTTP requests to internal or otherwise restricted network resources. This behavior enables attackers to perform internal network reconnaissance, probing services that are not normally accessible externally, including sensitive endpoints such as cloud provider metadata services. The vulnerability does not require any prior authentication or user interaction, increasing its potential attack surface. However, it does not directly allow code execution or data modification, limiting its impact to information disclosure and reconnaissance. The CVSS 3.1 base score is 5.8, reflecting network attack vector, low attack complexity, no privileges required, no user interaction, and partial confidentiality impact. No known exploits have been reported in the wild as of the publication date. The vulnerability underscores a common SSRF risk where insufficient validation of URLs used in server-side HTTP requests can lead to internal resource exposure. Since Keycloak is widely used for identity and access management, exploitation could facilitate further attacks by revealing internal infrastructure details or cloud metadata that could be leveraged for privilege escalation or lateral movement.

For European organizations, the impact of CVE-2026-1180 primarily involves the risk of internal network reconnaissance and information disclosure. Attackers exploiting this vulnerability can map internal services, identify sensitive endpoints, and potentially access cloud metadata services that may contain credentials or configuration data. This can aid in planning more sophisticated attacks such as privilege escalation, lateral movement, or data exfiltration. Organizations relying on Keycloak for authentication and authorization services could see their internal network topology and cloud environment exposed to external attackers. This is particularly concerning for enterprises with hybrid or cloud-based deployments where metadata endpoints are critical for instance identity and secrets management. The vulnerability does not directly compromise data integrity or availability but increases the attack surface and can facilitate subsequent attacks. The medium severity rating suggests that while immediate damage is limited, the reconnaissance capability significantly raises the risk profile. European entities in sectors such as finance, government, and critical infrastructure, which often use Red Hat and Keycloak, may be targeted to gain internal insights for advanced persistent threat campaigns.

To mitigate CVE-2026-1180, European organizations should implement the following specific measures: 1) Apply any available patches or updates from Red Hat for Keycloak immediately once released. 2) Enforce strict validation and whitelisting of jwks_uri values to ensure only trusted URLs are accepted during client registration. 3) Restrict outbound HTTP requests from Keycloak servers using network-level controls such as firewall rules or proxy configurations to prevent access to internal or cloud metadata endpoints. 4) Monitor Keycloak logs for unusual or unexpected jwks_uri requests that could indicate exploitation attempts. 5) Employ network segmentation to isolate Keycloak servers from sensitive internal resources and metadata services. 6) Use cloud provider features to restrict metadata service access, such as metadata service versioning or access tokens, to reduce exposure. 7) Conduct regular security assessments and penetration testing focusing on SSRF vectors in identity management systems. These targeted actions go beyond generic advice by focusing on input validation, network egress restrictions, and monitoring tailored to the Keycloak environment.