Bug 2451611 (CVE-2026-4874) - CVE-2026-4874 org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: Keycloak: Server-Side Request Forgery via OIDC token endpoint manipulation
Summary: CVE-2026-4874 org.keycloak.protocol.oidc.grants: org.keycloak.services.manage...
Keywords:
Status: NEW
Alias: CVE-2026-4874
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-03-26 05:51 UTC by OSIDB Bzimport
Modified: 2026-03-26 06:02 UTC (History)
27 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-03-26 05:51:36 UTC 
Blind SSRF in Keycloak’s OIDC token endpoint allows an authenticated attacker to control the client_session_host parameter during refresh token requests, which is then stored in the client session. When a client is configured with backchannel.logout.url using the application.session.host placeholder, Keycloak substitutes this attacker‑controlled value and issues a server‑side HTTP POST to the resulting URL on logout. This lets the attacker make HTTP requests from the Keycloak server’s network context, potentially probing internal networks, cloud metadata services, or internal APIs that are not externally reachable. Exploitation requires valid credentials to obtain a refresh token, a client using backchannel.logout.url with the placeholder, and a logout event (admin, user, or timeout).
Note You need to log in before you can comment on or make changes to this bug.