Description
A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure.
Published: 2026-03-26
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery enabling internal network probing
Action: Assess Impact
AI Analysis

Impact

An authenticated attacker can abuse a Keycloak flaw that allows manipulation of the client_session_host parameter during refresh token requests. By configuring a client to use a backchannel logout URL that expands a placeholder, the attacker forces the Keycloak server to resolve and request an attacker‑supplied URL, producing a server‑side request forgery. The resulting internal HTTP requests can probe network services or expose sensitive data.

Affected Systems

The vulnerability affects Red Hat Build of Keycloak, Red Hat JBoss Enterprise Application Platform 8, the JBoss Enterprise Application Platform Expansion Pack, and Red Hat Single Sign‑On 7. Specific version information is not provided, so the flaw likely applies to the current releases referenced in the advisory.

Risk and Exploitability

The CVSS score of 3.1 classifies the issue as low severity, and the EPSS score below 1 % indicates a low likelihood of exploitation. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires authentication and a client configured with the vulnerable backchannel logout setting; when those conditions are met, the attacker can force requests from the Keycloak server’s internal network, potentially leaking internal information.

Generated by OpenCVE AI on April 2, 2026 at 05:25 UTC.

Remediation

Vendor Workaround

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

OpenCVE Recommended Actions

  • Remove or modify the backchannel logout URL that uses the application.session.host placeholder in the Keycloak client configuration.
  • Monitor Keycloak logs for unexpected or crafted client_session_host values during refresh token requests.
  • Check Red Hat Security advisories for any updated patches or workarounds as they become available.
  • If no patch or workaround is released, consider restricting outbound network traffic from the Keycloak server to limit internal network probing.

Generated by OpenCVE AI on April 2, 2026 at 05:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-22rm-wp4x-v5cx Keycloak Server-Side Request Forgery via OIDC token endpoint manipulation
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:-:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*

Fri, 27 Mar 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat build Of Keycloak
Redhat jboss Enterprise Application Platform Expansion Pack
Redhat single Sign-on
Vendors & Products Redhat build Of Keycloak
Redhat jboss Enterprise Application Platform Expansion Pack
Redhat single Sign-on

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Low

Thu, 26 Mar 2026 07:45:00 +0000

Type Values Removed Values Added
Description A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure.
Title Org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: keycloak: server-side request forgery via oidc token endpoint manipulation
First Time appeared Redhat
Redhat build Keycloak
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Redhat red Hat Single Sign On
Weaknesses CWE-918
CPEs cpe:/a:redhat:build_keycloak:
cpe:/a:redhat:jboss_enterprise_application_platform:8
cpe:/a:redhat:jbosseapxp
cpe:/a:redhat:red_hat_single_sign_on:7
Vendors & Products Redhat
Redhat build Keycloak
Redhat jboss Enterprise Application Platform
Redhat jbosseapxp
Redhat red Hat Single Sign On
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Redhat Build Keycloak Build Of Keycloak Jboss Enterprise Application Platform Jboss Enterprise Application Platform Expansion Pack Jbosseapxp Red Hat Single Sign On Single Sign-on
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-04-01T14:24:14.569Z

Reserved: 2026-03-26T05:47:45.449Z

Link: CVE-2026-4874

cve-icon Vulnrichment

Updated: 2026-03-26T13:54:02.745Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-26T08:16:22.700

Modified: 2026-04-01T14:11:28.077

Link: CVE-2026-4874

cve-icon Redhat

Severity : Low

Publid Date: 2026-03-26T05:56:03Z

Links: CVE-2026-4874 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:58:59Z

Weaknesses