CVE-2026-4874
CVE-2026-4874: Server-Side Request Forgery in Keycloak
Executive Summary
CVE-2026-4874 is a low severity vulnerability affecting software systems. It is classified as Server-Side Request Forgery. Ensure your systems and dependencies are patched immediately to mitigate exposure risks.
Precogs AI Insight
"Precogs AI detected this vulnerability pattern in Server-Side Request Forgery implementations. The pattern deviates from documented secure coding standards, suggesting a high likelihood of exploitation if unpatched."
Summary
A low-severity Server-Side Request Forgery vulnerability (CVE-2026-4874) has been identified in Keycloak, the widely-deployed open-source identity and access management platform. An authenticated attacker can abuse server-side HTTP requests to probe internal network services (CWE-918).
Technical Details
The issue is classified under CWE-918 (Server-Side Request Forgery). Keycloak processes user-supplied URLs in certain configuration or federation endpoints without sufficiently restricting the target hostname or IP range. This allows an authenticated user to redirect server-side HTTP requests to internal network addresses.
While the CVSS score is 3.1 (Low) due to the authentication requirement, the real-world impact in cloud environments can be severe when the SSRF is used to access cloud metadata endpoints.
Exploitation Context
- Vector: Remote / Network-based
- Authentication: Low (standard user account required)
- Complexity: High
- Impact: Low (Confidentiality only)
In cloud environments (AWS, GCP, Azure), SSRF can be escalated to access the instance metadata endpoint (169.254.169.254), stealing temporary IAM credentials that grant access to cloud infrastructure.
Remediation
Keycloak administrators should immediately:
- Apply the latest security patches from the Keycloak project that restrict outbound request targets.
- Implement network-level controls (firewall rules, security groups) to prevent the Keycloak server from reaching internal services and cloud metadata endpoints.
- Deploy SSRF-aware proxy configurations that block requests to RFC 1918 private IP ranges and link-local addresses.
Precogs AI Integration
The Precogs AI Code Security Platform identifies SSRF vulnerabilities by tracing user-controlled URL parameters through to HTTP client execution sinks. Precogs verifies that URL scheme restrictions, hostname whitelisting, and private IP range blocking are enforced before any outbound request is made.
Vulnerability Code Signature
Attack Data Flow
| Stage | Detail |
|---|---|
| Source | User-supplied URL parameter |
| Vector | Server fetches the user-controlled URL |
| Sink | HTTP request library (e.g., fetch, axios) |
| Impact | Access to internal services, metadata endpoints, or port scanning |
Vulnerable Code Pattern
// ❌ VULNERABLE: Server-Side Request Forgery
app.get('/proxy', async (req, res) => {
const targetUrl = req.query.url;
// Taint sink: unvalidated outbound request
const response = await fetch(targetUrl);
res.send(await response.text());
});
Secure Code Pattern
// ✅ SECURE: Allowlist validation
const ALLOWED_DOMAINS = ['api.partner.com'];
app.get('/proxy', async (req, res) => {
const targetUrl = new URL(req.query.url);
if (!ALLOWED_DOMAINS.includes(targetUrl.hostname)) {
return res.status(403).send("Domain not allowed");
}
// Sanitized outbound request
const response = await fetch(targetUrl.href);
res.send(await response.text());
});
How Precogs Detects This
Precogs API Security Engine actively detects SSRF vulnerabilities by tracking unvalidated URL sinks and enforcing strict allowlist policies.\n