CVE-2026-4874

Summary

A low-severity Server-Side Request Forgery vulnerability (CVE-2026-4874) has been identified in Keycloak, the widely-deployed open-source identity and access management platform. An authenticated attacker can abuse server-side HTTP requests to probe internal network services (CWE-918).

Technical Details

The issue is classified under CWE-918 (Server-Side Request Forgery). Keycloak processes user-supplied URLs in certain configuration or federation endpoints without sufficiently restricting the target hostname or IP range. This allows an authenticated user to redirect server-side HTTP requests to internal network addresses.

While the CVSS score is 3.1 (Low) due to the authentication requirement, the real-world impact in cloud environments can be severe when the SSRF is used to access cloud metadata endpoints.

Exploitation Context

• Vector: Remote / Network-based
• Authentication: Low (standard user account required)
• Complexity: High
• Impact: Low (Confidentiality only)

In cloud environments (AWS, GCP, Azure), SSRF can be escalated to access the instance metadata endpoint (169.254.169.254), stealing temporary IAM credentials that grant access to cloud infrastructure.

Remediation

Keycloak administrators should immediately:

1. Apply the latest security patches from the Keycloak project that restrict outbound request targets.
2. Implement network-level controls (firewall rules, security groups) to prevent the Keycloak server from reaching internal services and cloud metadata endpoints.
3. Deploy SSRF-aware proxy configurations that block requests to RFC 1918 private IP ranges and link-local addresses.

Precogs AI Integration

The Precogs AI Code Security Platform identifies SSRF vulnerabilities by tracing user-controlled URL parameters through to HTTP client execution sinks. Precogs verifies that URL scheme restrictions, hostname whitelisting, and private IP range blocking are enforced before any outbound request is made.