CVE-2026-1518: SSRF in Keycloak CIBA Feature
Platform
java
Component
org.keycloak:keycloak-parent
Fixed in
26.5.3
CVE-2026-1518 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in the Client Initiation and Backchannel Authentication (CIBA) feature of Keycloak. This flaw allows attackers to potentially make requests to internal services within the Keycloak infrastructure, bypassing intended security boundaries. The vulnerability affects Keycloak versions up to 26.5.2. A fix is available in a later version; upgrading is the recommended remediation.
Detect this CVE in your project
Upload your pom.xml file and we'll tell you instantly if you're affected.
Impact and Attack Scenarios
The SSRF vulnerability in Keycloak's CIBA feature allows an attacker to craft malicious client configurations that trigger requests to internal services. Because the validation of backchannel notification endpoints is insufficient, an attacker can effectively blind the Keycloak server to the destination of these requests. This could lead to unauthorized access to sensitive internal resources, such as databases, configuration files, or other internal APIs. While the CVSS score is LOW, the potential for lateral movement and data exfiltration within the Keycloak environment should not be underestimated. Exploitation could reveal internal network topology and expose critical infrastructure components.
Exploitation Context
CVE-2026-1518 was published on February 2, 2026. The vulnerability's CVSS score is currently rated as LOW (2.7), suggesting a relatively low probability of exploitation in the wild. No public Proof-of-Concept (PoC) code has been publicly released at the time of writing. It is not currently listed on KEV or EPSS, indicating a low immediate threat level. Monitor security advisories and threat intelligence feeds for any changes in the exploitation landscape.
Threat Intelligence
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- High — admin or privileged account required to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- None — no confidentiality impact. Attacker cannot read protected data.
- Integrity
- Low — attacker can modify some data with limited scope or impact.
- Availability
- None — no availability impact. Service remains fully operational.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
- Modified
- EPSS updated
Mitigation and Workarounds
The primary mitigation for CVE-2026-1518 is to upgrade Keycloak to a version that includes the fix. Consult the official Keycloak advisory for the specific patched version. If immediate upgrading is not feasible, consider implementing temporary workarounds. These may include restricting network access to the Keycloak server using firewalls or network segmentation to limit the potential blast radius of a successful SSRF attack. Carefully review and restrict client configurations to prevent malicious backchannel notification endpoints. Monitor Keycloak logs for unusual outbound requests that could indicate exploitation attempts. After upgrading, confirm the fix by attempting to trigger a CIBA flow with a malicious backchannel URL and verifying that the request is blocked.
How to fix
Actualice a una versión de Keycloak que haya solucionado la vulnerabilidad de SSRF. Consulte las notas de la versión de Red Hat Build of Keycloak para obtener información sobre la versión corregida y las instrucciones de actualización.
CVE Security Newsletter
Vulnerability analysis and critical alerts directly to your inbox.
Frequently asked questions
What is CVE-2026-1518 — SSRF in Keycloak?
CVE-2026-1518 is a Server-Side Request Forgery (SSRF) vulnerability affecting Keycloak versions up to 26.5.2. It allows attackers to potentially make requests to internal services through the CIBA feature due to insufficient endpoint validation.
Am I affected by CVE-2026-1518 in Keycloak?
You are affected if you are using Keycloak version 26.5.2 or earlier. Check your Keycloak version using /opt/keycloak/bin/kc version and upgrade if necessary.
How do I fix CVE-2026-1518 in Keycloak?
Upgrade Keycloak to a patched version that addresses the vulnerability. Consult the official Keycloak advisory for the specific patched version. Consider temporary workarounds like network segmentation if immediate upgrading is not possible.
Is CVE-2026-1518 being actively exploited?
As of the current assessment, CVE-2026-1518 is not known to be actively exploited in the wild. However, it's crucial to apply the fix proactively to mitigate potential risks.
Where can I find the official Keycloak advisory for CVE-2026-1518?
Refer to the official Keycloak security advisories on the Keycloak website or through their mailing list for the most up-to-date information and guidance regarding CVE-2026-1518.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.