Red Hat CVE-2026-1180
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Lifecycle Timeline
3Blast Radius
ecosystem impact- 50 maven packages depend on org.keycloak:keycloak-adapter-core (24 direct, 26 indirect)
Ecosystem-wide dependent count for version 25.0.3.
DescriptionCVE.org
A flaw was identified in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk.
AnalysisAI
Keycloak's OpenID Connect Dynamic Client Registration feature fails to validate jwks_uri values when clients authenticate via private_key_jwt, allowing attackers to redirect the server to arbitrary network endpoints. This enables reconnaissance and information disclosure attacks against internal services and cloud metadata endpoints accessible from the Keycloak server. No patch is currently available for this MEDIUM severity vulnerability.
Technical ContextAI
Classified as CWE-918 (Server-Side Request Forgery (SSRF)). A flaw was identified in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosur
Affected ProductsAI
A flaw was identified in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allo
RemediationAI
Monitor vendor advisories for a patch. Restrict network access to the affected service where possible.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allSame technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-7vw6-5q2f-7w5r