Vulnerability Description
A flaw was identified in Keycloak, an identity and access management solution, where it improperly follows HTTP redirects when processing certain client configuration requests. This behavior allows an attacker to trick the server into making unintended requests to internal or restricted resources. As a result, sensitive internal services such as cloud metadata endpoints could be accessed. This issue may lead to information disclosure and enable attackers to map internal network infrastructure.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Build Of Keycloak | - |
| Redhat | Jboss Enterprise Application Platform | 8.0.0 |
| Redhat | Jboss Enterprise Application Platform Expansion Pack | - |
| Redhat | Single Sign-On | 7.0 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/security/cve/CVE-2026-4366Vendor Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=2448543Issue TrackingVendor Advisory
FAQ
What is CVE-2026-4366?
CVE-2026-4366 is a vulnerability with a CVSS score of 5.8 (MEDIUM). A flaw was identified in Keycloak, an identity and access management solution, where it improperly follows HTTP redirects when processing certain client configuration requests. This behavior allows an...
How severe is CVE-2026-4366?
CVE-2026-4366 has been rated MEDIUM with a CVSS base score of 5.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-4366?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Build Of Keycloak, Redhat Jboss Enterprise Application Platform, Redhat Jboss Enterprise Application Platform Expansion Pack, Redhat Single Sign-On.