CVE-2026-4366

MEDIUM

Keycloak-services: blind server-side request forgery (ssrf) via http redirect handling in keycloak

Title source: cna

Description

A flaw was identified in Keycloak, an identity and access management solution, where it improperly follows HTTP redirects when processing certain client configuration requests. This behavior allows an attacker to trick the server into making unintended requests to internal or restricted resources. As a result, sensitive internal services such as cloud metadata endpoints could be accessed. This issue may lead to information disclosure and enable attackers to map internal network infrastructure.

References (2)

[Vdb Entry, X_Refsource_Redhat] https://access.redhat.com/security/cve/CVE-2026-4366

[Issue Tracking, X_Refsource_Redhat] https://bugzilla.redhat.com/show_bug.cgi?id=2448543

Scores

CVSS v3 5.8

EPSS 0.0004

EPSS Percentile 11.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Details

CWE

CWE-918

Status published

Products (4)

Red Hat/Red Hat Build of Keycloak

Red Hat/Red Hat JBoss Enterprise Application Platform 8

Red Hat/Red Hat JBoss Enterprise Application Platform Expansion Pack

Red Hat/Red Hat Single Sign-On 7

Published Mar 18, 2026

Tracked Since Mar 18, 2026