CVE-2026-4874 Overview
A Server-Side Request Forgery (SSRF) vulnerability has been identified in Keycloak, the popular open-source identity and access management solution. An authenticated attacker can exploit this flaw by manipulating the client_session_host parameter during refresh token requests. The vulnerability is triggered when a Keycloak client is configured to use the backchannel.logout.url with the application.session.host placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server's network context, potentially enabling reconnaissance of internal networks and APIs, leading to information disclosure.
Critical Impact
Authenticated attackers can leverage this SSRF vulnerability to probe internal network infrastructure and access internal APIs from the Keycloak server's network position, potentially exposing sensitive internal resources and configuration data.
Affected Products
- Keycloak (specific versions not yet defined in advisory)
- Red Hat Single Sign-On (based on Keycloak)
- Deployments using backchannel.logout.url with application.session.host placeholder
Discovery Timeline
- 2026-03-26 - CVE-2026-4874 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-4874
Vulnerability Analysis
This SSRF vulnerability (CWE-918) exists in Keycloak's token refresh handling mechanism. The flaw occurs during the processing of refresh token requests when specific client configurations are in place. The client_session_host parameter is not properly validated, allowing an authenticated user to inject arbitrary hostnames or IP addresses.
When a Keycloak client is configured with a backchannel.logout.url that utilizes the application.session.host placeholder, the server-side code substitutes the attacker-controlled value from client_session_host directly into the URL used for backchannel logout requests. This allows the attacker to redirect HTTP requests to internal resources that would otherwise be inaccessible from external networks.
The vulnerability requires authentication, which limits the attack surface but still poses significant risks in multi-tenant environments or systems where user registration is open.
Root Cause
The root cause of this vulnerability is improper input validation of the client_session_host parameter combined with the insecure use of the application.session.host placeholder in backchannel logout URL configurations. The Keycloak server trusts user-supplied host information without adequate verification, allowing manipulation of the destination for server-originated HTTP requests.
Attack Vector
The attack is network-based and requires the attacker to have valid authentication credentials for the Keycloak instance. The exploitation flow involves:
- The attacker authenticates to the Keycloak server and obtains a refresh token
- During a token refresh request, the attacker manipulates the client_session_host parameter to point to an internal resource
- When the backchannel logout URL is processed, Keycloak substitutes the malicious host value
- The Keycloak server makes an HTTP request to the attacker-specified internal target
- Response data or timing information may reveal details about internal infrastructure
The vulnerability mechanism centers on the insecure placeholder substitution in backchannel logout URLs. When the application.session.host placeholder is used in backchannel.logout.url configurations, Keycloak substitutes this with the value from client_session_host without proper validation. An attacker can set this parameter to internal hostnames like localhost, 127.0.0.1, internal IP ranges, or internal DNS names to probe infrastructure that should not be accessible from outside the network. For detailed technical analysis, refer to the Red Hat CVE-2026-4874 Advisory.
Detection Methods for CVE-2026-4874
Indicators of Compromise
- Unusual values in client_session_host parameters within token refresh requests, particularly internal IP addresses or hostnames
- Keycloak server making unexpected outbound HTTP requests to internal network segments
- Authentication logs showing repeated token refresh attempts from the same user with varying session host values
- Network traffic from the Keycloak server to internal services that don't normally receive such connections
Detection Strategies
- Monitor Keycloak access logs for token refresh requests containing suspicious client_session_host values such as localhost, 127.0.0.1, or internal IP ranges
- Implement network segmentation monitoring to detect Keycloak server connections to internal resources outside its normal communication patterns
- Deploy web application firewall (WAF) rules to inspect and flag token requests with internal IP addresses or hostnames in the client_session_host parameter
- Utilize SentinelOne Singularity Platform for real-time behavioral analysis of Keycloak server network activity
Monitoring Recommendations
- Enable detailed logging for all OAuth token operations in Keycloak, specifically focusing on refresh token flows
- Configure alerts for Keycloak server outbound connections to RFC1918 private IP ranges or internal DNS names
- Implement egress filtering to restrict and log the Keycloak server's ability to initiate connections to internal services
- Deploy SentinelOne agents on Keycloak server hosts to monitor for anomalous network behavior patterns
How to Mitigate CVE-2026-4874
Immediate Actions Required
- Review all Keycloak client configurations for usage of backchannel.logout.url with the application.session.host placeholder
- Consider removing or replacing the application.session.host placeholder with static, validated URLs in backchannel logout configurations
- Implement network-level restrictions to limit the Keycloak server's ability to make outbound requests to internal network segments
- Audit authentication logs for signs of exploitation attempts
- Apply vendor patches when available from Red Hat or the Keycloak project
Patch Information
As of the publication date, specific patch information has not been released. Organizations should monitor the Red Hat CVE-2026-4874 Advisory and Red Hat Bug Report #2451611 for updates on official patches and remediation guidance. Red Hat typically provides patched versions through their standard update channels for Red Hat Single Sign-On and related products.
Workarounds
- Reconfigure affected clients to use static URLs instead of the application.session.host placeholder in backchannel.logout.url settings
- Implement network segmentation to isolate the Keycloak server and restrict its outbound connectivity to only required external services
- Deploy a reverse proxy or WAF in front of Keycloak to filter and validate incoming token requests before they reach the server
- Consider disabling backchannel logout functionality for clients where it is not strictly required until patches are available
# Example: Review Keycloak client configurations for vulnerable patterns
# Search for clients using application.session.host placeholder
# If using Keycloak CLI (kcadm.sh), export client configurations for review:
./kcadm.sh get clients -r your-realm --fields 'clientId,attributes' | grep -i "backchannel.logout.url"
# Network-level mitigation: Restrict Keycloak server outbound connections
# Example iptables rules to block internal network access from Keycloak server
iptables -A OUTPUT -m owner --uid-owner keycloak -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -m owner --uid-owner keycloak -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -m owner --uid-owner keycloak -d 192.168.0.0/16 -j DROP
iptables -A OUTPUT -m owner --uid-owner keycloak -d 127.0.0.0/8 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
