{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4874", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-03-26T05:47:45.449Z", "datePublished": "2026-03-26T07:12:37.545Z", "dateUpdated": "2026-04-01T14:24:14.569Z"}, "containers": {"cna": {"title": "Org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: keycloak: server-side request forgery via oidc token endpoint manipulation", "metrics": [{"other": {"content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server\u2019s network context, potentially probing internal networks or internal APIs, leading to information disclosure."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhbk/keycloak-operator-bundle", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:build_keycloak:"]}, {"vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:build_keycloak:"]}, {"vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhbk/keycloak-rhel9-operator", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:build_keycloak:"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "keycloak-services", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8"]}, {"vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "packageName": "keycloak-services", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:jbosseapxp"]}, {"vendor": "Red Hat", "product": "Red Hat Single Sign-On 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "keycloak-services", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-4874", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451611", "name": "RHBZ#2451611", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-03-26T05:56:03.440Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-918: Server-Side Request Forgery (SSRF)", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "timeline": [{"lang": "en", "time": "2026-03-26T05:51:10.233Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-03-26T05:56:03.440Z", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Evan Hendra (Independent Security Researcher) for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-04-01T14:24:14.569Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T13:53:59.095067Z", "id": "CVE-2026-4874", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:54:08.137Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4874", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T13:53:59.095067Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:54:02.745Z"}}], "cna": {"title": "Org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: keycloak: server-side request forgery via oidc token endpoint manipulation", "credits": [{"lang": "en", "value": "Red Hat would like to thank Evan Hendra (Independent Security Researcher) for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.1, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}}], "affected": [{"cpes": ["cpe:/a:redhat:build_keycloak:"], "vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "packageName": "rhbk/keycloak-operator-bundle", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:"], "vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "packageName": "rhbk/keycloak-rhel9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:"], "vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "packageName": "rhbk/keycloak-rhel9-operator", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jboss_enterprise_application_platform:8"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform 8", "packageName": "keycloak-services", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:jbosseapxp"], "vendor": "Red Hat", "product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "packageName": "keycloak-services", "collectionURL": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:red_hat_single_sign_on:7"], "vendor": "Red Hat", "product": "Red Hat Single Sign-On 7", "packageName": "keycloak-services", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2026-03-26T05:51:10.233Z", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-03-26T05:56:03.440Z", "value": "Made public."}], "datePublic": "2026-03-26T05:56:03.440Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-4874", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451611", "name": "RHBZ#2451611", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server\u2019s network context, potentially probing internal networks or internal APIs, leading to information disclosure."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-03-26T07:23:12.550Z"}, "x_redhatCweChain": "CWE-918: Server-Side Request Forgery (SSRF)"}}, "cveMetadata": {"cveId": "CVE-2026-4874", "state": "PUBLISHED", "dateUpdated": "2026-03-26T13:54:08.137Z", "dateReserved": "2026-03-26T05:47:45.449Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-03-26T07:12:37.545Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:-:*:*:*", "matchCriteriaId": "E5C930CB-4EAD-497B-A44B-D880F2A1F85B", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "0D8BC03A-4198-4488-946B-3F6B43962942", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*", "matchCriteriaId": "0A24CBFB-4900-47A5-88D2-A44C929603DC", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server\u2019s network context, potentially probing internal networks or internal APIs, leading to information disclosure."}, {"lang": "es", "value": "Se encontr\u00f3 una vulnerabilidad en Keycloak. Un atacante autenticado puede realizar falsificaci\u00f3n de petici\u00f3n del lado del servidor (SSRF) manipulando el par\u00e1metro 'client_session_host' durante las peticiones de token de actualizaci\u00f3n. Esto ocurre cuando un cliente de Keycloak est\u00e1 configurado para usar la 'backchannel.logout.url' con el marcador de posici\u00f3n 'application.session.host'. La explotaci\u00f3n exitosa permite al atacante realizar peticiones HTTP desde el contexto de red del servidor de Keycloak, potencialmente sondeando redes internas o APIs internas, lo que lleva a la revelaci\u00f3n de informaci\u00f3n."}], "id": "CVE-2026-4874", "lastModified": "2026-04-01T14:11:28.077", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.1, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-26T08:16:22.700", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2026-4874"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451611"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Evan Hendra (Independent Security Researcher) for reporting this issue.", "bugzilla": {"description": "org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: Keycloak: Server-Side Request Forgery via OIDC token endpoint manipulation", "id": "2451611", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451611"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-918", "details": ["A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server\u2019s network context, potentially probing internal networks or internal APIs, leading to information disclosure."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-4874", "package_state": [{"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Fix deferred", "package_name": "rhbk/keycloak-operator-bundle", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Affected", "package_name": "rhbk/keycloak-rhel9", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Fix deferred", "package_name": "rhbk/keycloak-rhel9-operator", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "keycloak-services", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "keycloak-services", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}, {"cpe": "cpe:/a:redhat:red_hat_single_sign_on:7", "fix_state": "Fix deferred", "package_name": "keycloak-services", "product_name": "Red Hat Single Sign-On 7"}], "public_date": "2026-03-26T05:56:03Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-4874\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-4874"], "statement": "This flaw allows an authenticated attacker to perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This vulnerability is exploitable when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder, enabling the attacker to probe internal networks from the Keycloak server's context. Exploitation requires valid user credentials and a logout event.", "threat_severity": "Low"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 98.0, "source": "matching"}]}, "original": {"product": "Red Hat Build of Keycloak", "source": "cna", "vendor": "Red Hat"}, "product": "build_of_keycloak", "vendor": "redhat"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 97.0, "source": "matching"}]}, "original": {"product": "Red Hat JBoss Enterprise Application Platform 8", "source": "cna", "vendor": "Red Hat"}, "product": "jboss_enterprise_application_platform", "vendor": "redhat"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 99.0, "source": "matching"}]}, "original": {"product": "Red Hat JBoss Enterprise Application Platform Expansion Pack", "source": "cna", "vendor": "Red Hat"}, "product": "jboss_enterprise_application_platform_expansion_pack", "vendor": "redhat"}, {"configurations": [{"platform": null, "status": "affected", "versions": null}], "enrichment": {"confidence": 93.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 93.0, "source": "matching"}]}, "original": {"product": "Red Hat Single Sign-On 7", "source": "cna", "vendor": "Red Hat"}, "product": "single_sign-on", "vendor": "redhat"}], "analysis": {"en": {"generated_at": "2026-04-02T05:25:26.024872+00:00", "value": {"mitigation_remediation": ["Remove or modify the backchannel logout URL that uses the application.session.host placeholder in the Keycloak client configuration.", "Monitor Keycloak logs for unexpected or crafted client_session_host values during refresh token requests.", "Check Red\u202fHat Security advisories for any updated patches or workarounds as they become available.", "If no patch or workaround is released, consider restricting outbound network traffic from the Keycloak server to limit internal network probing."], "summary": {"action": "Assess Impact", "impact": "Server\u2011Side Request Forgery enabling internal network probing"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Red\u202fHat Build of Keycloak, Red\u202fHat JBoss Enterprise Application Platform\u202f8, the JBoss Enterprise Application Platform Expansion Pack, and Red\u202fHat Single Sign\u2011On\u202f7. Specific version information is not provided, so the flaw likely applies to the current releases referenced in the advisory.", "description_and_impact": "An authenticated attacker can abuse a Keycloak flaw that allows manipulation of the client_session_host parameter during refresh token requests. By configuring a client to use a backchannel logout URL that expands a placeholder, the attacker forces the Keycloak server to resolve and request an attacker\u2011supplied URL, producing a server\u2011side request forgery. The resulting internal HTTP requests can probe network services or expose sensitive data.", "risk_and_exploitability": "The CVSS score of 3.1 classifies the issue as low severity, and the EPSS score below 1\u202f% indicates a low likelihood of exploitation. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation requires authentication and a client configured with the vulnerable backchannel logout setting; when those conditions are met, the attacker can force requests from the Keycloak server\u2019s internal network, potentially leaking internal information."}}}}, "created": "2026-03-26T12:08:16.428151+00:00", "updated": "2026-04-02T07:58:59.767030+00:00", "vendors": ["redhat", "redhat$PRODUCT$build_of_keycloak", "redhat$PRODUCT$jboss_enterprise_application_platform", "redhat$PRODUCT$jboss_enterprise_application_platform_expansion_pack", "redhat$PRODUCT$single_sign-on"]}