CVE-2026-4366

Keycloak-services: blind server-side request forgery (ssrf) via http redirect handling in keycloak

CVSS 5.8 MEDIUMEPSS 0.2%CWE-918

A flaw was identified in Keycloak, an identity and access management solution, where it improperly follows HTTP redirects when processing certain client configuration requests. This behavior allows an attacker to trick the server into making unintended requests to internal or restricted resources. As a result, sensitive internal services such as cloud metadata endpoints could be accessed. This issue may lead to information disclosure and enable attackers to map internal network infrastructure.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Produtos afetados

Red Hat · Red Hat Build of Keycloak Red Hat · Red Hat build of Keycloak 26.4 Red Hat · Red Hat build of Keycloak 26.4.12 Red Hat · Red Hat JBoss Enterprise Application Platform 8 Red Hat · Red Hat JBoss Enterprise Application Platform Expansion Pack Red Hat · Red Hat Single Sign-On 7

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://access.redhat.com/errata/RHSA-2026:19596 https://access.redhat.com/errata/RHSA-2026:19597 https://access.redhat.com/security/cve/CVE-2026-4366 https://bugzilla.redhat.com/show_bug.cgi?id=2448543