CVE-2026-1518

Summary

A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services.

Affected Software

VendorProductVersion RangeStatus

Weaknesses

  • CWE-918: Server-Side Request Forgery (SSRF)

Workarounds

To mitigate this issue, restrict administrative access to Keycloak instances. Ensure that only trusted and authorized personnel have the necessary privileges to configure client settings, including the backchannel_client_notification_endpoint. This limits the ability of an attacker to manipulate the endpoint for SSRF attacks.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References