Executive Summary

CVE-2026-4366 is a Server-Side Request Forgery (SSRF) vulnerability in Keycloak, an identity and access management solution. The flaw arises because Keycloak improperly follows HTTP redirects when processing certain client configuration requests, specifically when handling HTTP redirect responses like HTTP 302 without validating the final destination URL.

An attacker can exploit this by providing a specially crafted sector_identifier_uri that initially appears valid but redirects Keycloak to internal or restricted network resources, such as cloud metadata service endpoints (e.g., 169.254.169.254). This causes Keycloak to make unintended requests from its own network context, leading to a blind SSRF scenario.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows attackers to trick Keycloak into making unintended requests to internal or restricted resources within its network environment. As a result, attackers can access sensitive internal services such as cloud metadata endpoints.

The impact includes potential information disclosure and the ability for attackers to perform internal network reconnaissance, mapping internal network infrastructure. This can increase the risk of further attacks or exploitation of internal systems.

The vulnerability can be exploited remotely without requiring authentication or user interaction, making it easier for attackers to leverage.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves Keycloak improperly following HTTP redirects during client configuration processing, leading to Server-Side Request Forgery (SSRF). Detection involves monitoring Keycloak logs and network traffic for unusual outbound requests to internal or restricted IP addresses, such as cloud metadata service endpoints (e.g., 169.254.169.254).'}, {'type': 'paragraph', 'content': 'You can check Keycloak server logs for HTTP 3xx redirect responses and subsequent requests to internal IPs. Additionally, network monitoring tools can be used to detect unexpected outbound HTTP requests originating from the Keycloak server.'}, {'type': 'paragraph', 'content': 'Suggested commands include:'}, {'type': 'list_item', 'content': "Use grep to find redirect handling in Keycloak logs: `grep -i '302' /path/to/keycloak/logs/server.log`"}, {'type': 'list_item', 'content': 'Monitor outbound connections from the Keycloak server to internal IPs: `sudo netstat -anp | grep ESTABLISHED | grep keycloak`'}, {'type': 'list_item', 'content': 'Use tcpdump to capture HTTP traffic from Keycloak to internal addresses: `sudo tcpdump -i eth0 host 169.254.169.254 and port 80`'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should prevent Keycloak from following unvalidated HTTP redirects during client configuration processing.

Immediate steps include:

• Apply any available patches or updates from Keycloak or your Linux distribution that address this SSRF issue.
• Restrict network access from the Keycloak server to sensitive internal resources, such as cloud metadata endpoints (e.g., 169.254.169.254), using firewall rules or network segmentation.
• Review and validate all client configuration URLs, especially sector_identifier_uri values, to ensure they do not redirect to internal or restricted addresses.
• Monitor Keycloak logs and network traffic for suspicious redirect behavior or unexpected outbound requests.

Useful 0 Not Useful 0