A flaw was identified in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk.
Exploitability
AV:NAC:LPR:NUI:NScope
S:CImpact
C:LI:NA:N5.8/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:NInput Validation