CVE-2026-4874EPSS p16.1%

CVE-2026-4874CVE-2026-4874

redhat / build_of_keycloak

Description

A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure.

Scoring

CVSS 3.1 ()
VectorCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS0.25% probability of exploitation · percentile 16.1% · 2026-06-19T12:03:05Z
Last modified2026-06-10

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-7507
CVE
CVE-2026-4366
CVE
CVE-2026-9802
CVE
CVE-2026-7571
CVE
CVE-2026-7504
CVE
CVE-2026-9087
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.