{
  "threat_severity" : "Moderate",
  "public_date" : "2026-01-19T00:00:00Z",
  "bugzilla" : {
    "description" : "org.keycloak.protocol.oidc: Blind Server-Side Request Forgery (SSRF) in Keycloak OIDC Dynamic Client Registration via jwks_uri",
    "id" : "2430781",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2430781"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.8",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-918",
  "details" : [ "A flaw was identified in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk.", "A flaw was identified in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk." ],
  "statement" : "This vulnerability is rated Moderate for Red Hat. The flaw in Keycloak's OIDC Dynamic Client Registration allows an attacker to force the Keycloak server to make requests to internal network resources via a crafted jwks_uri parameter. This can lead to information disclosure and internal network reconnaissance, particularly in configurations that permit anonymous or token-based client registration.",
  "acknowledgement" : "Red Hat would like to thank Lucas Montes (Nirox) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat build of Keycloak 26.4",
    "release_date" : "2026-04-02T00:00:00Z",
    "advisory" : "RHSA-2026:6478",
    "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9",
    "package" : "rhbk/keycloak-operator-bundle:26.4.11-1"
  }, {
    "product_name" : "Red Hat build of Keycloak 26.4",
    "release_date" : "2026-04-02T00:00:00Z",
    "advisory" : "RHSA-2026:6478",
    "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9",
    "package" : "rhbk/keycloak-rhel9:26.4-14"
  }, {
    "product_name" : "Red Hat build of Keycloak 26.4",
    "release_date" : "2026-04-02T00:00:00Z",
    "advisory" : "RHSA-2026:6478",
    "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9",
    "package" : "rhbk/keycloak-rhel9-operator:26.4-14"
  }, {
    "product_name" : "Red Hat build of Keycloak 26.4.11",
    "release_date" : "2026-04-02T00:00:00Z",
    "advisory" : "RHSA-2026:6477",
    "cpe" : "cpe:/a:redhat:build_keycloak:26.4::el9",
    "package" : "rhbk/keycloak-rhel9"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Fix deferred",
    "package_name" : "rhbk/keycloak-operator-bundle",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat Build of Keycloak",
    "fix_state" : "Fix deferred",
    "package_name" : "rhbk/keycloak-rhel9-operator",
    "cpe" : "cpe:/a:redhat:build_keycloak:"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 8",
    "fix_state" : "Not affected",
    "package_name" : "keycloak-services",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:8"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack",
    "fix_state" : "Not affected",
    "package_name" : "keycloak-services",
    "cpe" : "cpe:/a:redhat:jbosseapxp"
  }, {
    "product_name" : "Red Hat Single Sign-On 7",
    "fix_state" : "Not affected",
    "package_name" : "keycloak-services",
    "cpe" : "cpe:/a:redhat:red_hat_single_sign_on:7"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2026-1180\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-1180" ],
  "name" : "CVE-2026-1180",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}