The vulnerability CVE-2026-4366 affects Red Hat build of Keycloak 26.4, where the server improperly follows HTTP redirects when processing certain client configuration requests. This SSRF flaw allows attackers to coerce the server into making unintended requests to internal or restricted network resources, potentially exposing sensitive internal services such as cloud metadata endpoints. The issue can result in information disclosure and enable attackers to map internal network infrastructure. Red Hat has published security advisories (RHSA-2026:19596 and RHSA-2026:19597) announcing the availability of Keycloak 26.4.12 packages and container images that include fixes for this vulnerability among others. The advisories recommend backing up existing installations before applying updates.

An attacker exploiting this SSRF vulnerability can cause the Keycloak server to make unauthorized requests to internal or restricted resources, potentially disclosing sensitive information such as cloud metadata. This can aid attackers in mapping internal network infrastructure. The CVSS 3.1 base score is 5.8 (medium severity), with network attack vector, low attack complexity, no privileges required, no user interaction, and a confidentiality impact limited to partial information disclosure. There is no indication of integrity or availability impact from this vulnerability alone.

Red Hat has released an official security update in Keycloak version 26.4.12 that addresses CVE-2026-4366 along with other vulnerabilities. Users of Red Hat build of Keycloak 26.4 should apply the 26.4.12 update as provided in the Red Hat Customer Portal advisories RHSA-2026:19596 and RHSA-2026:19597. Before applying the update, back up existing installations, including applications, configuration files, and databases. No other mitigation or workaround is specified in the vendor advisories.