Skip to main content

Red Hat CVE-2026-1180

MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-01-20 secalert@redhat.com GHSA-7vw6-5q2f-7w5r
5.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.8 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Red Hat
5.8 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch released
Apr 09, 2026 - 14:30 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 20, 2026 - 13:16 nvd
MEDIUM 5.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 50 maven packages depend on org.keycloak:keycloak-adapter-core (24 direct, 26 indirect)

Ecosystem-wide dependent count for version 25.0.3.

DescriptionCVE.org

A flaw was identified in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk.

AnalysisAI

Keycloak's OpenID Connect Dynamic Client Registration feature fails to validate jwks_uri values when clients authenticate via private_key_jwt, allowing attackers to redirect the server to arbitrary network endpoints. This enables reconnaissance and information disclosure attacks against internal services and cloud metadata endpoints accessible from the Keycloak server. No patch is currently available for this MEDIUM severity vulnerability.

Technical ContextAI

Classified as CWE-918 (Server-Side Request Forgery (SSRF)). A flaw was identified in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosur

Affected ProductsAI

A flaw was identified in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allo

RemediationAI

Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.

Vendor StatusVendor

Share

CVE-2026-1180 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy