CVE-2026-4874
LowCVSS 3.1Exploitation Probability (EPSS)
Low risk21th percentile — higher than 21% of all known CVEs
Summary
A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder.
Risk Assessment
Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure.
Recommendation
It is recommended to immediately update Keycloak to a version that fixes this vulnerability. As a temporary workaround, avoid using the `application.session.host` placeholder in `backchannel.logout.url`.
Original NVD description (English source)
A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure.

