CVE 2.7 LOW

Keycloak: blind server-side request forgery (ssrf) via ciba backchannel notification endpoint in keycloak_CVE-2026-1518

February 2, 2026 invoker category_cve
2.7 / 10
LOW
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Description

A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services.

Basic Information

ID CVE-2026-1518
Source redhat
Published Feb 2, 2026 at 07:17

Affected Product

Vendor Red Hat
Product Red Hat Build of Keycloak

CWE Classification

CWE-918

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.