Description
A flaw was identified in Keycloak, an identity and access management solution, where it improperly follows HTTP redirects when processing certain client configuration requests. This behavior allows an attacker to trick the server into making unintended requests to internal or restricted resources. As a result, sensitive internal services such as cloud metadata endpoints could be accessed. This issue may lead to information disclosure and enable attackers to map internal network infrastructure.
Published: 2026-03-18
Score: 5.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Server‑side request forgery enabling internal resource access
Action: Apply Patch
AI Analysis

Impact

A flaw in Keycloak prohibits proper validation of HTTP redirects during client configuration processing. When an attacker supplies a malicious redirect URL, the server follows it and contacts targeted internal or restricted resources. The breach can result in the disclosure of sensitive internal information, such as cloud metadata, and allow attackers to map internal network infrastructure.

Affected Systems

The vulnerability impacts Red Hat Build of Keycloak, Red Hat JBoss Enterprise Application Platform 8, Red Hat JBoss Enterprise Application Platform Expansion Pack, and Red Hat Single Sign‑On 7. No specific version range is supplied; all affected variants are listed in the CNA product list.

Risk and Exploitability

The CVSS base score is 5.8, indicating moderate severity, and the EPSS score is less than 1%, suggesting a low likelihood of widespread exploitation. The issue is not listed in the CISA KEV catalog. The likely attack vector is a blind server‑side request forgery triggered by HTTP redirect handling, with minimal prerequisites other than the ability to influence client configuration requests.

Generated by OpenCVE AI on April 2, 2026 at 05:05 UTC.

Remediation

Vendor Workaround

To mitigate this vulnerability, restrict the outbound network access of the Keycloak instance. Configure firewall rules to prevent the Keycloak server from initiating connections to internal network segments, especially to well-known cloud metadata service IP addresses such as `169.254.169.254`. For example, on Red Hat Enterprise Linux, you can use `firewalld` to add a rich rule: `sudo firewall-cmd --permanent --zone=public --add-rich-rule='rule family="ipv4" destination address="169.254.169.254" reject'` `sudo firewall-cmd --reload` This may impact other services if they legitimately rely on accessing these internal IPs. Additionally, ensure that any configured `sector_identifier_uri` values are thoroughly validated to only point to trusted, external URLs that do not perform redirects to internal resources.

OpenCVE Recommended Actions

  • Apply the latest Keycloak update or apply the vendor patch once released
  • Restrict outbound traffic from the Keycloak instance, e.g., block 169.254.169.254 with firewall rules
  • Validate that all sector_identifier_uri values resolve only to trusted external URLs and do not contain redirects to internal resources
  • Monitor outbound network connections from the Keycloak server for unexpected requests
  • Review and harden client configuration settings regularly

Generated by OpenCVE AI on April 2, 2026 at 05:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat single Sign-on
CPEs cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:-:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
Vendors & Products Redhat single Sign-on

Wed, 18 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Redhat jboss Enterprise Application Platform Expansion Pack
Vendors & Products Redhat build Of Keycloak
Redhat jboss Enterprise Application Platform Expansion Pack
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 18 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Description A flaw was identified in Keycloak, an identity and access management solution, where it improperly follows HTTP redirects when processing certain client configuration requests. This behavior allows an attacker to trick the server into making unintended requests to internal or restricted resources. As a result, sensitive internal services such as cloud metadata endpoints could be accessed. This issue may lead to information disclosure and enable attackers to map internal network infrastructure.
Title Keycloak-services: blind server-side request forgery (ssrf) via http redirect handling in keycloak
First Time appeared Redhat
Redhat build Keycloak
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Redhat red Hat Single Sign On
Weaknesses CWE-918
CPEs cpe:/a:redhat:build_keycloak:
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:red_hat_single_sign_on:7
Vendors & Products Redhat
Redhat build Keycloak
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Redhat red Hat Single Sign On
References
Metrics cvssV3_1

{'score': 5.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak Jboss Enterprise Application Platform Jboss Enterprise Application Platform Expansion Pack Jbosseapxp Red Hat Single Sign On Single Sign-on
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-03-18T17:58:48.644Z

Reserved: 2026-03-18T03:43:54.685Z

Link: CVE-2026-4366

cve-icon Vulnrichment

Updated: 2026-03-18T17:53:02.659Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-18T04:17:32.450

Modified: 2026-04-01T15:10:12.310

Link: CVE-2026-4366

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-18T00:00:00Z

Links: CVE-2026-4366 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T08:00:05Z

Weaknesses