← back
CVE-2026-4366

Keycloak-services: blind server-side request forgery (ssrf) via http redirect handling in keycloak

CVSS 5.8 MEDIUMEPSS 0.2%CWE-918
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 5.8EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch referenciado
Lifecycle
18 Mar 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
A flaw was identified in Keycloak, an identity and access management solution, where it improperly follows HTTP redirects when processing certain client configuration requests. This behavior allows an attacker to trick the server into making unintended requests to internal or restricted resources. As a result, sensitive internal services such as cloud metadata endpoints could be accessed. This issue may lead to information disclosure and enable attackers to map internal network infrastructure.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N