CVE-2026-4874 is a Server-Side Request Forgery (SSRF) vulnerability identified in the Red Hat Build of Keycloak, an open-source identity and access management solution. The flaw arises when an authenticated attacker manipulates the client_session_host parameter during refresh token requests. This attack vector is specifically exploitable when a Keycloak client is configured to use the backchannel.logout.url parameter containing the application.session.host placeholder. By exploiting this, the attacker can coerce the Keycloak server to initiate HTTP requests from its own network context, effectively allowing the attacker to probe internal network resources or internal APIs that are otherwise inaccessible externally. This can lead to information disclosure about internal infrastructure or services. The vulnerability requires the attacker to have authenticated access, and the attack complexity is high, as it depends on specific client configurations and parameter manipulation. The CVSS v3.1 base score is 3.1, reflecting low severity, with confidentiality impact limited to information disclosure and no impact on integrity or availability. No public exploits have been reported, and no patches or mitigation links were provided at the time of disclosure. This vulnerability highlights the risk of SSRF in identity management platforms when certain URL placeholders are used insecurely, emphasizing the need for careful parameter validation and configuration management.

The primary impact of CVE-2026-4874 is information disclosure through SSRF, allowing an authenticated attacker to make HTTP requests from the Keycloak server to internal network resources. This can enable reconnaissance of internal services, potentially exposing sensitive internal APIs or infrastructure details that could be leveraged in further attacks. While the vulnerability does not directly affect integrity or availability, the information gained could facilitate lateral movement or privilege escalation within an organization’s network. The requirement for authentication and high attack complexity limits the scope and ease of exploitation, reducing the overall risk. However, organizations relying on Keycloak for identity management, especially those with sensitive internal network segments accessible only from the Keycloak server, may face increased risk of internal network exposure. This could be particularly impactful in environments where Keycloak is deployed in critical authentication or federated identity roles, as attackers gaining internal network knowledge could target other internal systems or services.

To mitigate CVE-2026-4874, organizations should first verify if their Keycloak clients are configured to use the backchannel.logout.url parameter with the application.session.host placeholder. If so, consider removing or restricting this configuration to prevent manipulation of the client_session_host parameter. Implement strict input validation and sanitization on parameters that influence server-side requests to prevent SSRF attacks. Limit the network access of the Keycloak server to only necessary internal resources using network segmentation and firewall rules, reducing the potential impact of SSRF. Monitor authentication logs for unusual refresh token request patterns that could indicate exploitation attempts. Apply any available patches or updates from Red Hat as soon as they are released. Additionally, consider deploying Web Application Firewalls (WAFs) with SSRF detection capabilities and conduct regular security assessments focused on SSRF vectors within identity management systems. Finally, enforce the principle of least privilege on Keycloak service accounts and network permissions to minimize potential damage.