Количество 3
Количество 3
CVE-2026-1180
A flaw was identified in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk.
CVE-2026-1180
A flaw was identified in Keycloak\u2019s OpenID Connect Dynamic Client ...
GHSA-7vw6-5q2f-7w5r
Keycloak’s OpenID Connect Dynamic Client Registration feature affected by Server-Side Request Forgery (SSRF)
Уязвимостей на страницу
Уязвимость | CVSS | EPSS | Опубликовано | |
|---|---|---|---|---|
 | CVE-2026-1180 A flaw was identified in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk. | CVSS3: 5.8 | 0% Низкий | 20 дней назад |
| CVE-2026-1180 A flaw was identified in Keycloak\u2019s OpenID Connect Dynamic Client ... | CVSS3: 5.8 | 0% Низкий | 20 дней назад |
| GHSA-7vw6-5q2f-7w5r Keycloak’s OpenID Connect Dynamic Client Registration feature affected by Server-Side Request Forgery (SSRF) | CVSS3: 5.8 | 0% Низкий | 20 дней назад |
Уязвимостей на страницу