CVE-2026-1180 in Keycloak
Summary
by MITRE • 01/20/2026
A flaw was identified in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 01/20/2026
The vulnerability CVE-2026-1180 represents a critical security flaw within Keycloak's OpenID Connect Dynamic Client Registration implementation that specifically affects clients utilizing private_key_jwt authentication mechanisms. This weakness resides in the server's handling of JSON Web Key Set (JWKS) URIs during the client registration process, where the system fails to validate the destination endpoints specified by clients. The flaw allows malicious actors to manipulate the jwks_uri parameter to point to internal network resources or cloud metadata services, effectively turning Keycloak into an unwitting proxy for network reconnaissance activities.
The technical execution of this vulnerability leverages the dynamic client registration feature's trust model, where Keycloak automatically retrieves JWKS data from any URI provided by the client without performing proper validation checks. When a client submits a registration request with a malicious jwks_uri value, Keycloak's internal HTTP client performs the retrieval operation without verifying whether the target endpoint is accessible or appropriate for the server to contact. This behavior creates a server-side request forgery (SSRF) condition that enables attackers to bypass network segmentation and access resources that should normally be restricted from external access.
From an operational impact perspective, this vulnerability exposes organizations to significant reconnaissance capabilities that can be leveraged for information disclosure attacks. Attackers can use the compromised Keycloak server to probe internal services such as databases, application servers, or cloud metadata endpoints that typically operate on private networks. The vulnerability is particularly concerning because it can be exploited without requiring authentication to the Keycloak server itself, allowing threat actors to perform network mapping and service discovery operations that would otherwise be blocked by firewalls or network segmentation policies. The attack surface extends to cloud environments where metadata endpoints contain sensitive information about virtual machines, network configurations, and service credentials.
The security implications align with CWE-918, which describes server-side request forgery vulnerabilities, and can be mapped to ATT&CK technique T1046 for network service scanning and T1082 for system information discovery. Organizations utilizing Keycloak in environments with internal network resources or cloud deployments face elevated risk when this vulnerability exists, as it effectively provides a mechanism for attackers to perform internal reconnaissance without direct network access. The flaw particularly affects deployments where Keycloak operates in environments with restricted network access patterns, making the potential for information disclosure and further attack escalation significantly higher.
Mitigation strategies should focus on implementing strict validation of jwks_uri parameters during client registration processes, including hostname and IP address validation against known safe domains or networks. Organizations should consider implementing network segmentation controls that restrict Keycloak's ability to access internal resources, and deploy network monitoring solutions to detect anomalous HTTP requests originating from the Keycloak server. The recommended approach includes configuring Keycloak to operate behind a proxy or firewall that can filter outbound requests based on destination addresses, while also implementing proper access controls and monitoring for unauthorized client registration activities. Additionally, organizations should consider upgrading to patched versions of Keycloak that implement proper URI validation and restrict the ability of clients to specify arbitrary endpoints during registration processes.