Back to blog
KeycloakIAMCVE

Keycloak and CVE-2026-1180: why dynamic client registration deserves real review

Published on 2026-04-116 min readCleanIssue

> TL;DR: In March 2026, Keycloak fixed a blind SSRF via jwks_uri in dynamic OIDC client registration. Here is why CVE-2026-1180 matters.

A recent IAM flaw with a lot to teach

In March 2026, the Keycloak project released version 26.5.6 with multiple security fixes. Among them, CVE-2026-1180 is described as a blind SSRF in OIDC dynamic client registration through jwks_uri.

Why this matters

When a vulnerability affects an identity provider, the risk is not limited to one badly filtered URL. An IAM component sits in front of authentication flows, clients, tokens, and often federated identity relationships. SSRF in that position can become a very useful internal discovery tool for an attacker.

What this says about IAM risk

Teams rightly think about crypto strength and permissions. But federation, remote resolution, and dynamic registration features deserve the same level of scrutiny.

The lesson for 2026

Keycloak patch releases need close attention. The project is shipping a steady stream of security fixes in 2026, which shows how quickly modern IAM stacks evolve. The most flexible OIDC features are often the ones that need the strongest guardrails.

Our view

CVE-2026-1180 is a strong example of a modern IAM flaw: not necessarily dramatic in raw form, but strategically useful inside a federated architecture. In this kind of stack, even a small network or logic opening can become very valuable.

Key Takeaways

  • Identify and test your exposed attack surfaces before a third party does.
  • Client-side security controls never replace server-side validation.
  • Regular audits are more effective than one-time checks — vulnerabilities appear with every deployment.
  • Building HR, payroll, or recruiting software? CleanIssue performs security audits for HR SaaS in real-world conditions, no source code access needed. For a first read of your exposure, start with an external review of your application.

    Sources

    Written by CleanIssue
    Reviewed on 2026-04-11

    Related services

    If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.

    Need an external review of your HR SaaS?

    Share your product, stack, and client context. We will come back with the right review scope.

    Discuss your audit