Low severity3.1NVD Advisory· Published Mar 26, 2026· Updated Apr 1, 2026

CVE-2026-4874

Description

A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the client_session_host parameter during refresh token requests. This occurs when a Keycloak client is configured to use the backchannel.logout.url with the application.session.host placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.keycloak:keycloak-servicesMaven	<= 26.6.0	—

Affected products

Red Hat/Build Of Keycloak
cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:-:*:*:*
Red Hat/Jboss Enterprise Application Platform
cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:*:*:*:*:*:*:*
Red Hat/Jboss Enterprise Application Platform Expansion Pack
cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*
Red Hat/Single Sign On
cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

access.redhat.com/security/cve/CVE-2026-4874nvdVendor AdvisoryWEB
bugzilla.redhat.com/show_bug.cginvdIssue TrackingVendor AdvisoryWEB
github.com/advisories/GHSA-22rm-wp4x-v5cxghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-4874ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.202
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000