CVE-2026-1180 is a Server-Side Request Forgery (SSRF) vulnerability identified in the Red Hat Build of Keycloak, specifically within the OpenID Connect Dynamic Client Registration feature when clients authenticate using the private_key_jwt method. The vulnerability stems from Keycloak accepting a client-supplied jwks_uri (JSON Web Key Set URI) without validating the destination URL. This allows an attacker to specify an arbitrary URI, causing the Keycloak server to perform HTTP requests to internal or restricted network resources on behalf of the attacker. Such requests can target internal services that are otherwise inaccessible externally, including cloud provider metadata endpoints, which often contain sensitive information such as instance credentials or configuration data. The vulnerability does not require any authentication or user interaction, making it easier to exploit remotely. The CVSS v3.1 score of 5.8 reflects a medium severity level, primarily due to the potential for information disclosure and reconnaissance rather than direct system compromise or denial of service. Although no known exploits have been reported in the wild, the flaw poses a significant risk to organizations using Keycloak for identity and access management, especially in cloud or hybrid environments where internal network segmentation is critical. The vulnerability highlights the importance of validating and restricting URLs used in dynamic client registration processes to prevent SSRF attacks.

The primary impact of CVE-2026-1180 is information disclosure and internal network reconnaissance. Attackers can leverage the SSRF vulnerability to access internal services that are not exposed externally, potentially gathering sensitive configuration data, credentials, or other information that could facilitate further attacks. Accessing cloud metadata endpoints can lead to the compromise of cloud instance credentials, enabling attackers to escalate privileges or move laterally within cloud environments. While the vulnerability does not directly allow code execution or denial of service, the information gained can significantly increase the attack surface and risk of subsequent exploitation. Organizations relying on Keycloak for authentication and authorization may face increased risk of data breaches, unauthorized access, and compromise of internal infrastructure. The scope of affected systems includes any deployment of the Red Hat Build of Keycloak that uses the vulnerable OpenID Connect Dynamic Client Registration feature with private_key_jwt authentication. Given the widespread use of Keycloak in enterprise identity management and cloud-native applications, the potential impact is substantial, especially for organizations with complex internal networks and cloud deployments.

To mitigate CVE-2026-1180, organizations should apply any available patches or updates from Red Hat as soon as they are released. In the absence of immediate patches, administrators should restrict the network egress capabilities of the Keycloak server to prevent it from making arbitrary HTTP requests to internal or sensitive endpoints, such as cloud metadata services. Implementing strict allowlists for outbound requests from Keycloak can reduce the attack surface. Additionally, reviewing and restricting the use of the OpenID Connect Dynamic Client Registration feature, especially the acceptance of arbitrary jwks_uri values, is critical. Organizations should consider disabling dynamic client registration if not required or enforcing strict validation and whitelisting of jwks_uri domains. Monitoring Keycloak logs for unusual outbound requests and anomalous client registrations can help detect exploitation attempts. Finally, network segmentation and zero-trust principles should be applied to limit the exposure of internal services accessible via SSRF.