Back to blog
KeycloakIAMCVE

Keycloak and CVE-2026-1180: why dynamic client registration deserves real review

Published on 2026-04-116 min readFlorian

A recent IAM flaw with a lot to teach

In March 2026, the Keycloak project released version 26.5.6 with multiple security fixes. Among them, CVE-2026-1180 is described as a blind SSRF in OIDC dynamic client registration through jwks_uri.

Why this matters

When a vulnerability affects an identity provider, the risk is not limited to one badly filtered URL. An IAM component sits in front of authentication flows, clients, tokens, and often federated identity relationships. SSRF in that position can become a very useful internal discovery tool for an attacker.

What this says about IAM risk

Teams rightly think about crypto strength and permissions. But federation, remote resolution, and dynamic registration features deserve the same level of scrutiny.

The lesson for 2026

Keycloak patch releases need close attention. The project is shipping a steady stream of security fixes in 2026, which shows how quickly modern IAM stacks evolve. The most flexible OIDC features are often the ones that need the strongest guardrails.

Our view

CVE-2026-1180 is a strong example of a modern IAM flaw: not necessarily dramatic in raw form, but strategically useful inside a federated architecture. In this kind of stack, even a small network or logic opening can become very valuable.

Related articles

Three adjacent analyses to keep exploring the same attack surface.

cloudAWS

AWS, GCP, Azure cloud security: the 10 most common IAM mistakes

The IAM configuration mistakes that expose your cloud infrastructure: excessive permissions, static credentials, missing MFA, and more.

2026-04-08 · 8 min read
NiFidata pipeline

Apache NiFi and CVE-2026-25903: the risk of badly enforced restricted permissions

CVE-2026-25903 affected restricted-component controls in NiFi. Here is why this 2026 flaw deserves close attention from data teams.

2026-04-11 · 6 min read
Nexussupply chain

Nexus Repository and CVE-2026-0600: why proxy configuration becomes an attack surface

CVE-2026-0600 affects Nexus Repository 3 through SSRF in proxy repository configuration. Here is why this is critical for supply-chain teams.

2026-04-11 · 6 min read

Sources

Written by Florian
Reviewed on 2026-04-11

Related services

If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.

External Review

Get a fast, clear read on your product’s real external exposure.

Full Audit

Document all priority flaws and get a real remediation plan.

Ongoing Review

Track new exposure as your stack changes over time.

Need an external review of your HR SaaS?

Share your product, stack, and client context. We will come back with the right review scope.

Discuss your audit