Description
A flaw was identified in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk.
Published: 2026-01-20
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery enabling internal network reconnaissance
Action: Patch immediately
AI Analysis

Impact

Keycloak’s OpenID Connect Dynamic Client Registration uses private_key_jwt authentication and permits a client to provide an arbitrary jwks_uri. Keycloak blindly follows that URI and retrieves the JWK set, creating a blind server‑side request forgery that can reach internal or restricted endpoints. Attackers can therefore scan a corporate network or cloud metadata services for exposed services, producing information disclosure and reconnaissance data without directly engaging the victim systems.

Affected Systems

The vulnerability affects Red Hat Build of Keycloak, particularly versions 26.4 and 26.4.11, as well as the Red Hat build of Keycloak 26.4 prior to the update. It also impacts Red Hat JBoss Enterprise Application Platform 8, the JBoss Enterprise Application Platform Expansion Pack, and Red Hat Single Sign‑On 7. No additional version restrictions are listed in the official CNA data.

Risk and Exploitability

With a CVSS score of 5.8, the issue falls into the medium severity range. The EPSS score of less than 1% suggests a low exploitation probability in the current landscape, and it is not present in the CISA KEV catalog. The likely attack vector is an attacker or compromised client that successfully registers with Keycloak using private_key_jwt, enabling it to supply an arbitrary jwks_uri. Because the flaw does not require authentication to the Keycloak server itself, the attacker could leverage legitimate client registration flows or hijacked clients to mitigate the internal‑network probing risk.

Generated by OpenCVE AI on April 15, 2026 at 21:44 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

  • Apply the Red Hat errata RHSA‑2026:6477 and RHSA‑2026:6478 to update Keycloak 26.4 to the patched state.
  • Upgrade older Keycloak deployments to at least version 26.4.11, which includes the ssrf mitigation.
  • Restrict the jwks_uri value in the OIDC configuration to trusted URLs only, preventing clients from supplying arbitrary service addresses.

Generated by OpenCVE AI on April 15, 2026 at 21:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-7vw6-5q2f-7w5r Keycloak’s OpenID Connect Dynamic Client Registration feature affected by Server-Side Request Forgery (SSRF)
History

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
CPEs cpe:/a:redhat:build_keycloak:26.4::el9
References

Wed, 21 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Tue, 20 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 13:00:00 +0000

Type Values Removed Values Added
Description A flaw was identified in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk.
Title Org.keycloak.protocol.oidc: blind server-side request forgery (ssrf) in keycloak oidc dynamic client registration via jwks_uri
First Time appeared Redhat
Redhat build Keycloak
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Redhat red Hat Single Sign On
Weaknesses CWE-918
CPEs cpe:/a:redhat:build_keycloak:
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:red_hat_single_sign_on:7
Vendors & Products Redhat
Redhat build Keycloak
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Redhat red Hat Single Sign On
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Redhat Build Keycloak Jboss Enterprise Application Platform Jbosseapxp Red Hat Single Sign On
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-02T16:39:39.391Z

Reserved: 2026-01-19T07:36:12.895Z

Link: CVE-2026-1180

cve-icon Vulnrichment

Updated: 2026-01-20T16:25:43.522Z

cve-icon NVD

Status : Deferred

Published: 2026-01-20T13:16:03.003

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1180

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-19T00:00:00Z

Links: CVE-2026-1180 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T21:45:14Z

Weaknesses