Can you explain this vulnerability to me?

CVE-2026-4874 is a Server-Side Request Forgery (SSRF) vulnerability found in Keycloak's OpenID Connect token endpoint. An authenticated attacker can manipulate the `client_session_host` parameter during refresh token requests. When a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder, Keycloak substitutes the attacker-controlled value and makes an HTTP POST request from the server to that URL upon logout.

This allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially accessing internal networks, cloud metadata services, or internal APIs that are normally inaccessible from outside.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

The vulnerability allows an attacker with valid user credentials to perform SSRF attacks from the Keycloak server, potentially probing internal networks or internal APIs.

• It can lead to information disclosure by accessing internal resources that are not exposed externally.
• Attackers can exploit this to gather sensitive information about internal network infrastructure or cloud metadata.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection of this vulnerability involves monitoring for unusual HTTP POST requests originating from the Keycloak server to internal or unexpected URLs, especially those triggered during logout events.

Since exploitation requires manipulation of the `client_session_host` parameter during refresh token requests and a configured `backchannel.logout.url` with the `application.session.host` placeholder, you can look for suspicious refresh token requests with unusual `client_session_host` values.

Commands to assist detection might include:

• Use network monitoring tools (e.g., tcpdump or Wireshark) on the Keycloak server to capture outbound HTTP POST requests during logout events.
• Example tcpdump command: `tcpdump -i <interface> -A 'tcp dst port 80 or tcp dst port 443'` to monitor HTTP/HTTPS traffic.
• Check Keycloak server logs for refresh token requests containing the `client_session_host` parameter with unexpected or external values.
• Use curl or similar tools to simulate refresh token requests with manipulated `client_session_host` values in a controlled environment to verify if the server issues outbound requests.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include:

• Review and modify the Keycloak client configurations to avoid using the `backchannel.logout.url` with the `application.session.host` placeholder.
• Restrict or validate the `client_session_host` parameter to prevent attacker-controlled values from being accepted during refresh token requests.
• Monitor and audit logout events and refresh token requests for suspicious activity.
• Apply any available patches or updates from Keycloak or your Linux distribution that address this vulnerability.
• Limit network access from the Keycloak server to internal resources where possible to reduce the impact of SSRF.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows an authenticated attacker to perform Server-Side Request Forgery (SSRF) from the Keycloak server, potentially accessing internal networks or internal APIs that are not externally accessible.

This could lead to information disclosure, which may impact compliance with standards and regulations such as GDPR or HIPAA that require protection of sensitive data and internal systems.

However, exploitation requires valid user credentials and specific client configuration, which may limit the risk.

Useful 0 Not Useful 0