CVE-2026-1518
2.7
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Summary
A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services.
Affected Software
| Vendor | Product | Version Range | Status |
|---|
Weaknesses
- CWE-918: Server-Side Request Forgery (SSRF)
Workarounds
To mitigate this issue, restrict administrative access to Keycloak instances. Ensure that only trusted and authorized personnel have the necessary privileges to configure client settings, including the backchannel_client_notification_endpoint. This limits the ability of an attacker to manipulate the endpoint for SSRF attacks.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://access.redhat.com/security/cve/CVE-2026-1518
- https://bugzilla.redhat.com/show_bug.cgi?id=2433727
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.