CVE-2026-4874
ADVISORY - githubSummary
A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the client_session_host parameter during refresh token requests. This occurs when a Keycloak client is configured to use the backchannel.logout.url with the application.session.host placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure.
EPSS Score: 0.00024 (0.065)
Common Weakness Enumeration (CWE)
ADVISORY - nist
Server-Side Request Forgery (SSRF)
ADVISORY - github
Server-Side Request Forgery (SSRF)
ADVISORY - redhat
Server-Side Request Forgery (SSRF)
NIST
CREATED
UPDATED
ADVISORY IDCVE-2026-4874
EXPLOITABILITY SCORE
1.6
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
3.1lowGitHub
CREATED
UPDATED
ADVISORY IDGHSA-22rm-wp4x-v5cx
EXPLOITABILITY SCORE
1.6
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
3.1lowRed Hat
CREATED
UPDATED
ADVISORY IDCVE-2026-4874
EXPLOITABILITY SCORE
1.6
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CVSS SCORE
3.1lowChainguard
CREATED
UPDATED
ADVISORY ID
CGA-4gx6-j35v-22q2
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
minimos
CREATED
UPDATED
ADVISORY ID
MINI-fjg7-pcfc-jg7h
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-
minimos
CREATED
UPDATED
ADVISORY ID
MINI-v6pv-3f3f-2qv5
EXPLOITABILITY SCORE
-
EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)-