{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1518", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2026-01-28T08:08:15.419Z", "datePublished": "2026-02-02T07:17:46.557Z", "dateUpdated": "2026-02-02T14:07:02.915Z"}, "containers": {"cna": {"title": "Keycloak: blind server-side request forgery (ssrf) via ciba backchannel notification endpoint in keycloak", "metrics": [{"other": {"content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak\u2019s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services."}], "affected": [{"vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhbk/keycloak-operator-bundle", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:build_keycloak:"]}, {"vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhbk/keycloak-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:build_keycloak:"]}, {"vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhbk/keycloak-rhel9-operator", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:build_keycloak:"]}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-1518", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433727", "name": "RHBZ#2433727", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2026-01-28T00:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-918: Server-Side Request Forgery (SSRF)", "workarounds": [{"lang": "en", "value": "To mitigate this issue, restrict administrative access to Keycloak instances. Ensure that only trusted and authorized personnel have the necessary privileges to configure client settings, including the backchannel_client_notification_endpoint. This limits the ability of an attacker to manipulate the endpoint for SSRF attacks."}], "timeline": [{"lang": "en", "time": "2026-01-28T08:06:13.712000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-01-28T00:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Patrick Smith for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-02-02T07:17:46.557Z"}, "x_generator": {"engine": "cvelib 1.8.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-02T14:03:51.798430Z", "id": "CVE-2026-1518", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T14:07:02.915Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1518", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-02T14:03:51.798430Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-02T14:06:50.326Z"}}], "cna": {"title": "Keycloak: blind server-side request forgery (ssrf) via ciba backchannel notification endpoint in keycloak", "credits": [{"lang": "en", "value": "Red Hat would like to thank Patrick Smith for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Low", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 2.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}}], "affected": [{"cpes": ["cpe:/a:redhat:build_keycloak:"], "vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "packageName": "rhbk/keycloak-operator-bundle", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:"], "vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "packageName": "rhbk/keycloak-rhel9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:build_keycloak:"], "vendor": "Red Hat", "product": "Red Hat Build of Keycloak", "packageName": "rhbk/keycloak-rhel9-operator", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2026-01-28T08:06:13.712000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2026-01-28T00:00:00+00:00", "value": "Made public."}], "datePublic": "2026-01-28T00:00:00.000Z", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2026-1518", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433727", "name": "RHBZ#2433727", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "To mitigate this issue, restrict administrative access to Keycloak instances. Ensure that only trusted and authorized personnel have the necessary privileges to configure client settings, including the backchannel_client_notification_endpoint. This limits the ability of an attacker to manipulate the endpoint for SSRF attacks."}], "x_generator": {"engine": "cvelib 1.8.0"}, "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak\u2019s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF)"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2026-02-02T07:17:46.557Z"}, "x_redhatCweChain": "CWE-918: Server-Side Request Forgery (SSRF)"}}, "cveMetadata": {"cveId": "CVE-2026-1518", "state": "PUBLISHED", "dateUpdated": "2026-02-02T14:07:02.915Z", "dateReserved": "2026-01-28T08:08:15.419Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2026-02-02T07:17:46.557Z", "assignerShortName": "redhat"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Keycloak\u2019s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services."}], "id": "CVE-2026-1518", "lastModified": "2026-02-03T16:44:36.630", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 2.7, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 1.4, "source": "[email protected]", "type": "Primary"}]}, "published": "2026-02-02T08:16:06.217", "references": [{"source": "[email protected]", "url": "https://access.redhat.com/security/cve/CVE-2026-1518"}, {"source": "[email protected]", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433727"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "[email protected]", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Patrick Smith for reporting this issue.", "bugzilla": {"description": "keycloak: Blind Server-Side Request Forgery (SSRF) via CIBA Backchannel Notification Endpoint in Keycloak", "id": "2433727", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2433727"}, "csaw": false, "cvss3": {"cvss3_base_score": "2.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-918", "details": ["A flaw was found in Keycloak\u2019s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, restrict administrative access to Keycloak instances. Ensure that only trusted and authorized personnel have the necessary privileges to configure client settings, including the backchannel_client_notification_endpoint. This limits the ability of an attacker to manipulate the endpoint for SSRF attacks."}, "name": "CVE-2026-1518", "package_state": [{"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Fix deferred", "package_name": "rhbk/keycloak-operator-bundle", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Fix deferred", "package_name": "rhbk/keycloak-rhel9", "product_name": "Red Hat Build of Keycloak"}, {"cpe": "cpe:/a:redhat:build_keycloak:", "fix_state": "Fix deferred", "package_name": "rhbk/keycloak-rhel9-operator", "product_name": "Red Hat Build of Keycloak"}], "public_date": "2026-01-28T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-1518\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-1518"], "statement": "This LOW impact flaw in Red Hat Build of Keycloak allows a highly privileged attacker to perform blind Server-Side Request Forgery (SSRF). By configuring the CIBA backchannel notification endpoint to an internal URL, an attacker can induce Keycloak to send requests to arbitrary internal services. Exploitation requires administrative access or a valid Initial Access Token to configure client settings.", "threat_severity": "Low"}