Arbitrary Jwks_uri Vulnerability in Keycloak's OpenID Connect Dynamic Client Registration
CVE-2026-1180

5.8MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Keycloak; Red Hat Jboss Enterprise Application Platform 8; Red Hat Jboss Enterprise Application Platform Expansion Pack; Red Hat Single Sign-on 7
Vendor: CVE Published:; 20 January 2026

What is CVE-2026-1180?

A vulnerability exists in Keycloak's OpenID Connect Dynamic Client Registration feature when clients utilize private_key_jwt for authentication. This flaw permits a client to provide an arbitrary jwks_uri, which Keycloak retrieves without proper validation. Consequently, this allows attackers to manipulate the Keycloak server into making unauthorized HTTP requests to internal or restricted network resources. Such actions heighten the risk of information disclosure and unauthorized reconnaissance on critical services and cloud metadata endpoints.

References

https://access.redhat.com/security/cve/CVE-2026-1180

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2430781

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

5.8

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Jan 20, 2026
Vulnerability Reserved
Jan 19, 2026

Credit

Red Hat would like to thank lucasm0nt3s for reporting this issue.

JSON