CVE-2026-1180 is a medium-severity SSRF vulnerability discovered in the Red Hat Build of Keycloak, specifically in the OpenID Connect Dynamic Client Registration feature when clients authenticate using the private_key_jwt method. The vulnerability arises because Keycloak does not validate the destination of the jwks_uri parameter provided by clients. This parameter is intended to point to a JSON Web Key Set (JWKS) URI for public key retrieval, but an attacker can supply an arbitrary URL, causing the Keycloak server to make HTTP requests to internal or otherwise restricted network resources. This behavior can be exploited to perform internal network reconnaissance, including accessing cloud provider metadata endpoints that often contain sensitive information such as instance credentials or configuration details. The flaw does not require any privileges or user interaction, making it easier for remote attackers to exploit. While the vulnerability does not directly impact data integrity or availability, the confidentiality risk is significant because it can leak sensitive internal information. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N) reflects network attack vector, low complexity, no privileges or user interaction required, with a scope change and limited confidentiality impact. No patches or known exploits were reported at the time of publication, but the risk of reconnaissance and information leakage in cloud or internal network environments is notable.

For European organizations, the impact of CVE-2026-1180 can be substantial, especially for those relying on Red Hat Build of Keycloak for identity and access management in cloud or hybrid environments. The SSRF vulnerability allows attackers to bypass perimeter defenses and access internal services that are typically inaccessible externally, including sensitive cloud metadata endpoints that may contain credentials or configuration data. This can lead to further compromise, lateral movement, or data exfiltration. Organizations in sectors with high regulatory requirements such as finance, healthcare, and critical infrastructure may face compliance risks if internal data is exposed. Additionally, the reconnaissance enabled by this vulnerability can facilitate more targeted attacks. The medium severity rating suggests that while immediate damage may be limited, the vulnerability is a valuable reconnaissance tool for attackers and should be addressed promptly to prevent escalation.

European organizations should implement the following specific mitigations: 1) Apply any available patches or updates from Red Hat for Keycloak as soon as they are released. 2) If patches are not yet available, restrict outbound HTTP requests from Keycloak servers to only trusted destinations using network-level controls such as firewall rules or egress filtering. 3) Implement strict validation and whitelisting of jwks_uri parameters in client registration workflows to prevent arbitrary URLs. 4) Monitor Keycloak logs for unusual or unexpected jwks_uri requests that may indicate exploitation attempts. 5) Use network segmentation to isolate Keycloak servers from sensitive internal resources and cloud metadata endpoints. 6) Employ runtime application self-protection (RASP) or web application firewalls (WAF) with SSRF detection capabilities to block suspicious requests. 7) Review and limit the exposure of cloud metadata services by applying recommended cloud provider security best practices, such as metadata service versioning or access tokens. These targeted measures go beyond generic advice and address the specific exploitation vector of this vulnerability.