Server-Side Request Forgery Vulnerability in Keycloak by Red Hat
CVE-2026-4874

3.1LOW

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Keycloak; Red Hat Jboss Enterprise Application Platform 8; Red Hat Jboss Enterprise Application Platform Expansion Pack; Red Hat Single Sign-on 7
Vendor: CVE Published:; 26 March 2026

What is CVE-2026-4874?

A vulnerability exists in Keycloak allowing an authenticated attacker to exploit Server-Side Request Forgery (SSRF) via the manipulation of the client_session_host parameter during refresh token requests. When a Keycloak client is configured with the backchannel.logout.url utilizing the application.session.host placeholder, the attacker can send crafted requests. This enables the attacker to execute HTTP requests from the Keycloak server’s network context, putting internal networks and APIs at risk of probing and information leakage.

References

https://access.redhat.com/security/cve/CVE-2026-4874

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2451611

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

3.1

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 26, 2026
Vulnerability Reserved
Mar 26, 2026

Credit

Red Hat would like to thank Evan Hendra (Independent Security Researcher) for reporting this issue.

CVE-2026-4874 Data

JSON