A security vulnerability (CVE-2026-1180) has been identified in the Keycloak server used by the Identity and Access Management (IAM) component of "Service Virtualization (DevTest). 

A flaw exists in Keycloak's OpenID Connect Dynamic Client Registration feature when clients authenticate using `private_key_jwt`. The issue allows a client to specify an arbitrary `jwks_uri` which Keycloak retrieves without validating the destination. 

Impact: This vulnerability enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources (Server-Side Request Forgery - SSRF). Attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk.

CVSS Score: 5.8
CVE-ID: CVE-2026-1180

Product: Service Virtualization (DevTest)
Component: Identity and Access Management (IAM) / Keycloak
Versions:10.8.4 and earlier supported releases

The vulnerability is caused by a lack of destination validation for the `jwks_uri` parameter during OpenID Connect Dynamic Client Registration.

This third-party vulnerability has been addressed by Keycloak. The fix is scheduled to be included in the **DevTest 10.9.1** release.

To remediate this issue, upgrade to **DevTest 10.9.1** when it becomes generally available. This release is currently scheduled for the **End of April 2026**.

**Note:** If your organization requires an immediate remediation or a security exception before the 10.9.1 release, please contact Broadcom Support to discuss potential interim workarounds based on your specific deployment configuration.