Keycloak CIBA Feature Blind Server-Side Request Forgery Vulnerability

A blind server-side request forgery (SSRF) vulnerability has been identified in the CIBA feature of Keycloak. This issue arises from inadequate validation of client-configured backchannel notification endpoints, which could permit blind server-side requests to internal services. The vulnerability affects Keycloak instances where an attacker with administrative privileges or a valid Initial Access Token can manipulate the backchannel notification endpoint to target arbitrary internal URLs, including localhost or cloud metadata services.

Impact

Exploitation of this vulnerability allows a highly privileged attacker to perform blind server-side request forgery, sending requests from the Keycloak server to internal services without direct visibility into the response.

Reproduction

To reproduce this vulnerability, an administrator must configure the CIBA backchannel notification endpoint to an internal URL. Once set, initiating a CIBA authentication request in ping mode will trigger a blind POST request to the specified endpoint, exploiting the SSRF behavior.

Remediation

To mitigate this vulnerability, restrict administrative access to Keycloak instances, ensuring that only trusted personnel can configure client settings, including the backchannel notification endpoint.