Vulnerability DatabaseCVE-2026-4366

CVE-2026-4366:
JBoss EAP vulnerability analysis and mitigation

A flaw was identified in Keycloak, an identity and access management solution, where it improperly follows HTTP redirects when processing certain client configuration requests. This behavior allows an attacker to trick the server into making unintended requests to internal or restricted resources. As a result, sensitive internal services such as cloud metadata endpoints could be accessed. This issue may lead to information disclosure and enable attackers to map internal network infrastructure.

Source: NVD

View vulnerable instances

Not a customer? See how Wiz maps CVEs like this one to real cloud attack paths.

Watch 12-min demo

5.8

Score

Published March 18, 2026

Severity MEDIUM

CNA Score 5.8

Affected Technologies

JBoss EAP

Has Public Exploit No

Has CISA KEV Exploit No

CISA KEV Release Date N/A

CISA KEV Due Date N/A

Exploitation Probability Percentile (EPSS) 9.1

Exploitation Probability (EPSS) N/A

Affected packages and libraries

cpe:2.3:a:redhat:jboss_enterprise_application_platform

Sources

VulnCheck NVD++
- Linux Severity MEDIUMNo FixAdded at: Apr 02, 2026
- Windows Severity MEDIUMNo FixAdded at: Apr 02, 2026
NVD
- Linux Severity MEDIUMNo FixAdded at: Apr 05, 2026
- Windows Severity MEDIUMNo FixAdded at: Apr 05, 2026

Get a CVE risk assessment

Get a prioritized view of CVEs in your cloud—so you can focus on what's exploitable, not just what's listed.

Request assessment

Related JBoss EAP vulnerabilities:

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2026-28369	CRITICAL	9.1	Java	io.undertow:undertow-parent	No	Yes	Mar 27, 2026
CVE-2026-28368	CRITICAL	9.1	Java	pki-core:10.6::resteasy	No	Yes	Mar 27, 2026
CVE-2026-28367	CRITICAL	9.1	Java	fuse	No	Yes	Mar 27, 2026
CVE-2026-3121	HIGH	7.2	Java	cpe:2.3:a:redhat:jboss_enterprise_application_platform	No	Yes	Mar 26, 2026
CVE-2026-4874	LOW	3.1	Java	org.keycloak:keycloak-services	No	Yes	Mar 26, 2026