Description
A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services.
Published: 2026-02-02
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: Blinded SSRF via unvalidated backchannel notification endpoint
Action: Apply workaround
AI Analysis

Impact

Insufficient validation of client‑configured backchannel notification endpoints in Keycloak’s CIBA feature allows an attacker to cause the server to make blind HTTP requests to internal services. Because the responses are not returned to the attacker, the vulnerability is a blind server‑side request forgery (SSRF) that can expose internal network endpoints or serve as a foothold for further exploitation, compromising the confidentiality and integrity of internal infrastructure.

Affected Systems

Red Hat Build of Keycloak is affected. No specific version information is available in the advisory.

Risk and Exploitability

The CVSS score of 2.7 indicates low overall risk, and the EPSS score of <1% shows very low likelihood of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog. Attacks would target the backchannel_client_notification_endpoint, generating outbound requests from the Keycloak server to any URL supplied by a client, potentially reaching internal services that are otherwise inaccessible.

Generated by OpenCVE AI on April 18, 2026 at 00:43 UTC.

Remediation

Vendor Workaround

To mitigate this issue, restrict administrative access to Keycloak instances. Ensure that only trusted and authorized personnel have the necessary privileges to configure client settings, including the backchannel_client_notification_endpoint. This limits the ability of an attacker to manipulate the endpoint for SSRF attacks.

OpenCVE Recommended Actions

  • Restrict administrative access to Keycloak, ensuring only trusted personnel can configure client settings, particularly the backchannel_client_notification_endpoint.
  • Implement input validation on the backchannel notification endpoint configuration to reject or sanitize untrusted URLs, addressing the underlying CWE‑918 flaw.
  • Monitor Keycloak logs for unexpected outbound HTTP traffic and block or quarantine suspicious destinations.

Generated by OpenCVE AI on April 18, 2026 at 00:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fwhw-chw4-gh37 Keycloak Server-Side Request Forgery (SSRF) vulnerability
History

Mon, 02 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 02 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Mon, 02 Feb 2026 07:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services.
Title Keycloak: blind server-side request forgery (ssrf) via ciba backchannel notification endpoint in keycloak
First Time appeared Redhat
Redhat build Keycloak
Weaknesses CWE-918
CPEs cpe:/a:redhat:build_keycloak:
Vendors & Products Redhat
Redhat build Keycloak
References
Metrics cvssV3_1

{'score': 2.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Redhat Build Keycloak
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-02-02T14:07:02.915Z

Reserved: 2026-01-28T08:08:15.419Z

Link: CVE-2026-1518

cve-icon Vulnrichment

Updated: 2026-02-02T14:06:50.326Z

cve-icon NVD

Status : Deferred

Published: 2026-02-02T08:16:06.217

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1518

cve-icon Redhat

Severity : Low

Publid Date: 2026-01-28T00:00:00Z

Links: CVE-2026-1518 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T00:45:32Z

Weaknesses