Low severity3.1NVD Advisory· Published Mar 26, 2026· Updated Jun 10, 2026
CVE-2026-4874
CVE-2026-4874
Description
A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the client_session_host parameter during refresh token requests. This occurs when a Keycloak client is configured to use the backchannel.logout.url with the application.session.host placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.keycloak:keycloak-servicesMaven | <= 26.6.0 | — |
Affected products
7- cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:-:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*
- osv-coords3 versionspkg:apk/chainguard/keycloak-fips-26.5pkg:apk/chainguard/keycloak-fips-26.5-iamguarded-fipspkg:maven/org.keycloak/keycloak-services
< 26.5.6-r4+ 2 more
- (no CPE)range: < 26.5.6-r4
- (no CPE)range: < 26.5.6-r4
- (no CPE)range: <= 26.6.0
Patches
Vulnerability mechanics
References
6- access.redhat.com/security/cve/CVE-2026-4874nvdVendor AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingVendor AdvisoryWEB
- github.com/advisories/GHSA-22rm-wp4x-v5cxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-4874ghsaADVISORY
- access.redhat.com/errata/RHSA-2026:25097nvd
- access.redhat.com/errata/RHSA-2026:25098nvd
News mentions
0No linked articles in our index yet.