CVE-2026-4874

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the client session host parameter during refresh token requests. This is possible when a Keycloak client is configured to use the backchannel.logout.url with the application.session.host placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure. Server-Side Request Forgery (SSRF) is a web security flaw that allows an attacker to induce the server-side application to make HTTP requests to an arbitrary domain of the attacker’s choosing.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.