Platform
java
Component
org.keycloak:keycloak-services
Fixed in
26.5.7
26.6.1
A Server-Side Request Forgery (SSRF) vulnerability has been identified in Keycloak Services versions up to 26.6.0. This flaw allows an authenticated attacker to manipulate the clientsessionhost parameter during refresh token requests, enabling them to make HTTP requests from the Keycloak server’s network context. Successful exploitation can lead to information disclosure by probing internal networks or APIs.
The SSRF vulnerability in Keycloak Services allows an attacker, once authenticated, to initiate HTTP requests from the Keycloak server's network. This means the attacker can potentially scan internal networks and access internal APIs that are not directly accessible from the outside world. The impact ranges from information disclosure – revealing details about internal services and infrastructure – to potentially gaining access to sensitive data stored within those internal systems. While the CVSS score is LOW, the potential for internal reconnaissance and lateral movement should not be underestimated, especially in environments with complex internal network architectures. This vulnerability shares similarities with other SSRF exploits where attackers leverage trusted internal access to bypass security controls.
CVE-2026-4874 was publicly disclosed on 2026-03-26. Its current status on KEV is unknown. Public proof-of-concept (PoC) code is not currently available, but the SSRF nature of the vulnerability suggests that a PoC could be developed relatively easily. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4874 is to upgrade Keycloak Services to a version where the vulnerability has been addressed. Consult the official Keycloak advisory for the specific fixed version. If immediate upgrading is not possible, a temporary workaround involves carefully reviewing and restricting the backchannel.logout.url configuration. Ensure that the application.session.host placeholder is not used in conjunction with untrusted input. Consider implementing network segmentation to limit the potential blast radius of a successful SSRF attack. WAF rules can be configured to block suspicious outbound requests originating from the Keycloak server.
Update to a version of Keycloak that has addressed the SSRF vulnerability. Consult the Red Hat Build of Keycloak release notes for information on patched versions and upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4874 is a Server-Side Request Forgery (SSRF) vulnerability affecting Keycloak Services versions up to 26.6.0, allowing authenticated attackers to make HTTP requests from the Keycloak server’s network.
You are affected if you are running Keycloak Services versions 26.6.0 or earlier and have the backchannel.logout.url configured with the application.session.host placeholder.
Upgrade Keycloak Services to a version where the vulnerability has been addressed. Consult the official Keycloak advisory for the specific fixed version.
There are currently no confirmed reports of active exploitation, but the SSRF nature of the vulnerability suggests potential for exploitation.
Refer to the official Keycloak security advisories on the Keycloak website for the latest information and mitigation guidance.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your pom.xml file and we'll tell you instantly if you're affected.