CVE-2026-1518

A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services.

More information : https://access.redhat.com/security/cve/CVE-2026-1518