Description

A flaw was identified in Keycloak, an identity and access management solution, where it improperly follows HTTP redirects when processing certain client configuration requests. This behavior allows an attacker to trick the server into making unintended requests to internal or restricted resources. As a result, sensitive internal services such as cloud metadata endpoints could be accessed. This issue may lead to information disclosure and enable attackers to map internal network infrastructure.

Remediation

References

CVE-2026-4366

Related Vulnerabilities

WordPress Plugin TheCartPress eCommerce Shopping Cart Order Information Security Bypass (1.1.9.2)

WordPress Plugin Magic Post Voice Cross-Site Scripting (1.2)

WordPress Plugin HTML5 jQuery Audio Player Multiple Cross-Site Scripting Vulnerabilities (2.3)

WordPress Plugin Product Addons & Fields for WooCommerce Cross-Site Scripting (18.3)

WordPress Plugin Simple 301 Redirects-Addon-Bulk Uploader Multiple Security Bypass Vulnerabilities (1.2.4)

Severity

Medium

Classification

CVE-2026-4366 CWE-918 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Tags

Missing Update Known Vulnerabilities