CVE-2026-1180 MEDIUM

CVE-2026-1180: Org.keycloak.protocol.oidc: blind server-side request forgery (ssrf) in keycloak oidc dynamic client registration via jwks_uri

Vendor Red Hat
Product Red Hat build of Keycloak 26.4.11
Weakness CWE-918 · SSRF
Published January 20, 2026
Last update April 2, 2026
View on NVD All CVEs

CVSS base score

5.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

What the vulnerability does

01Description

A flaw was identified in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk.

Key dates

02Disclosure timeline

January 20, 2026 CVE published
April 2, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2022-0767 Server-Side Request Forgery (SSRF) in janeczku/calibre-web CVE-2025-34469 Cowrie < 2.9.0 Unrestricted wget/curl Emulation Enables SSRF-Based DDoS Amplification CVE-2025-10211 yanyutao0402 ChanCMS getArticle CollectController server-side request forgery CVE-2026-33766 AVideo has SSRF Protection Bypass via HTTP Redirect in Image Download Endpoints CVE-2024-35635 WordPress Ninja Tables plugin <= 5.0.9 - Server Side Request Forgery (SSRF) vulnerability