Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2026-4874

Опубликовано: 26 мар. 2026
Источник: nvd
CVSS3: 3.1
EPSS Низкий

Описание

A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the client_session_host parameter during refresh token requests. This occurs when a Keycloak client is configured to use the backchannel.logout.url with the application.session.host placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:-:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*

EPSS

Процентиль: 6%
0.00024
Низкий

3.1 Low

CVSS3

Дефекты

CWE-918

Связанные уязвимости

redhat логотип

CVE-2026-4874

CVSS3: 3.1
redhat
14 дней назад

A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure.

debian логотип

CVE-2026-4874

CVSS3: 3.1
debian
14 дней назад

A flaw was found in Keycloak. An authenticated attacker can perform Se ...

github логотип

GHSA-22rm-wp4x-v5cx

CVSS3: 3.1
github
13 дней назад

Keycloak Server-Side Request Forgery via OIDC token endpoint manipulation

EPSS

Процентиль: 6%
0.00024
Низкий

3.1 Low

CVSS3

Дефекты

CWE-918