CVE-2026-4874: Server-Side Request Forgery (SSRF) in Red Hat Red Hat Build of Keycloak
A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure.
AI Analysis
Technical Summary
This vulnerability in Red Hat Build of Keycloak involves an SSRF attack vector via the client_session_host parameter during refresh token requests. It specifically affects configurations where backchannel.logout.url uses the application.session.host placeholder. An attacker with authentication can cause the Keycloak server to send crafted HTTP requests to internal network resources. The CVSS 3.1 score of 3.1 reflects low impact, primarily limited to potential information disclosure without integrity or availability impact. The vendor advisory linked does not explicitly confirm patch availability or remediation details.
Potential Impact
The impact is limited to information disclosure due to SSRF, allowing an authenticated attacker to make HTTP requests from the Keycloak server to internal network resources. There is no indication of integrity or availability impact. No known active exploitation has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-4874 for current remediation guidance. Until official fixes or mitigations are confirmed, restrict access to authenticated users and carefully review client configurations involving backchannel.logout.url and application.session.host placeholders to minimize exposure.
CVE-2026-4874: Server-Side Request Forgery (SSRF) in Red Hat Red Hat Build of Keycloak
Description
A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability in Red Hat Build of Keycloak involves an SSRF attack vector via the client_session_host parameter during refresh token requests. It specifically affects configurations where backchannel.logout.url uses the application.session.host placeholder. An attacker with authentication can cause the Keycloak server to send crafted HTTP requests to internal network resources. The CVSS 3.1 score of 3.1 reflects low impact, primarily limited to potential information disclosure without integrity or availability impact. The vendor advisory linked does not explicitly confirm patch availability or remediation details.
Potential Impact
The impact is limited to information disclosure due to SSRF, allowing an authenticated attacker to make HTTP requests from the Keycloak server to internal network resources. There is no indication of integrity or availability impact. No known active exploitation has been reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the Red Hat advisory at https://access.redhat.com/security/cve/CVE-2026-4874 for current remediation guidance. Until official fixes or mitigations are confirmed, restrict access to authenticated users and carefully review client configurations involving backchannel.logout.url and application.session.host placeholders to minimize exposure.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- redhat
- Date Reserved
- 2026-03-26T05:47:45.449Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69c4e45ef4197a8e3b077baa
Added to database: 3/26/2026, 7:46:38 AM
Last enriched: 4/3/2026, 12:39:01 PM
Last updated: 5/10/2026, 2:21:31 PM
Views: 114
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.