Home

Description

A flaw was identified in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk.

PUBLISHED Reserved 2026-01-19 | Published 2026-01-20 | Updated 2026-01-21 | Assigner redhat




MEDIUM: 5.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Problem types

Server-Side Request Forgery (SSRF)

Product status

Default status
affected

Default status
affected

Default status
affected

Default status
unaffected

Default status
unaffected

Default status
unaffected

Timeline

2026-01-19:Reported to Red Hat.
2026-01-19:Made public.

Credits

Red Hat would like to thank Lucas Montes (Nirox) for reporting this issue.

References

access.redhat.com/security/cve/CVE-2026-1180 vdb-entry

bugzilla.redhat.com/show_bug.cgi?id=2430781 (RHBZ#2430781) issue-tracking

cve.org (CVE-2026-1180)

nvd.nist.gov (CVE-2026-1180)

Download JSON