Plattform
java
Komponente
org.keycloak:keycloak-services
Behoben in
26.5.7
26.6.1
A Server-Side Request Forgery (SSRF) vulnerability has been identified in Keycloak Services versions up to 26.6.0. This flaw allows an authenticated attacker to manipulate the clientsessionhost parameter during refresh token requests, enabling them to make HTTP requests from the Keycloak server’s network context. Successful exploitation can lead to information disclosure by probing internal networks or APIs.
The SSRF vulnerability in Keycloak Services allows an attacker, once authenticated, to craft malicious refresh token requests that manipulate the clientsessionhost parameter. If a Keycloak client is configured to use the backchannel.logout.url with the application.session.host placeholder, this manipulation enables the attacker to initiate HTTP requests originating from the Keycloak server's network context. This can lead to the exposure of sensitive information residing within the internal network, such as internal API endpoints or other internal services. The potential blast radius extends to any internal resources accessible from the Keycloak server, making it crucial to address this vulnerability promptly.
CVE-2026-4874 was publicly disclosed on 2026-03-26. The CVSS score is LOW, indicating a relatively limited potential for widespread exploitation. No public proof-of-concept (PoC) code has been publicly released as of this writing. It is not currently listed on the CISA KEV catalog. Active exploitation campaigns are not currently confirmed.
Organizations utilizing Keycloak for authentication and authorization, particularly those with complex internal network architectures or sensitive internal APIs, are at risk. Environments where the backchannel.logout.url is configured with the application.session.host placeholder are especially vulnerable.
• java / server:
# Check for suspicious outbound network connections from the Keycloak process
netstat -an | grep keycloak• java / server:
# Monitor Keycloak logs for unusual HTTP requests or errors related to refresh token processing
grep -i "client_session_host" /path/to/keycloak/logs/keycloak.log• generic web:
# Check for the presence of the 'application.session.host' placeholder in the backchannel.logout.url configuration
# (Requires access to Keycloak configuration files or API)disclosure
Exploit-Status
EPSS
0.03% (8% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-4874 is to upgrade Keycloak Services to a version that includes the security patch. Consult the official Keycloak advisory for the specific patched version. If immediate upgrade is not feasible, consider temporarily disabling the backchannel.logout.url feature or carefully reviewing and restricting the application.session.host placeholder usage. Implement strict network segmentation to limit the potential impact of successful exploitation. Web Application Firewalls (WAFs) configured to detect and block SSRF attempts can provide an additional layer of defense.
Actualice a una versión de Keycloak que haya solucionado la vulnerabilidad SSRF. Consulte las notas de la versión de Red Hat Build of Keycloak para obtener información sobre las versiones corregidas y las instrucciones de actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-4874 is a Server-Side Request Forgery (SSRF) vulnerability affecting Keycloak Services versions up to 26.6.0, allowing authenticated attackers to make HTTP requests from the Keycloak server’s network.
You are affected if you are running Keycloak Services versions 26.6.0 or earlier and have the backchannel.logout.url configured with the application.session.host placeholder.
Upgrade Keycloak Services to a version where the vulnerability has been addressed. Consult the official Keycloak advisory for the specific fixed version.
There are currently no confirmed reports of active exploitation, but the SSRF nature of the vulnerability suggests potential for exploitation.
Refer to the official Keycloak security advisories on the Keycloak website for the latest information and mitigation guidance.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine pom.xml-Datei hoch und wir sagen dir sofort, ob du betroffen bist.