What you need to know today.
Keycloak, Apache Airflow, and Erlang/OTP face critical vulnerabilities including access control bypasses, arbitrary code execution, and denial-of-service flaws.

Keycloak is facing a trio of access control bypass vulnerabilities, collectively referred to as FGAP v2. CVE-2026-14614 allows a client scope assignment bypass, potentially granting unauthorized access. CVE-2026-14615 bypasses per-child view permission filters for parent group children, and CVE-2026-14613 discloses hidden group metadata via the role groups endpoint without proper permissions. These flaws could enable attackers to escalate privileges or access sensitive information within Keycloak environments. As detailed by Vypr Intelligence, these vulnerabilities collectively pose a significant risk to the security of systems relying on Keycloak for authentication and authorization.
Apache Airflow's Kubernetes provider is affected by a critical arbitrary code execution vulnerability, CVE-2023-33234. This flaw allows a user with elevated permissions to modify the xcom sidecar image and its associated resources through an Airflow connection. Exploiting this could lead to the execution of arbitrary code within the Kubernetes environment managed by Airflow. Additionally, CVE-2023-51702 describes a vulnerability in deferrable mode when using Kubernetes configuration files for authentication. In this scenario, the Airflow worker serializes the configuration file and sends it to the triggerer, potentially exposing sensitive information or allowing for further exploitation.
Several vulnerabilities have been disclosed in Apache HttpComponents Core, impacting both HTTP/1.1 and HTTP/2 implementations. CVE-2026-54428 and CVE-2026-54399 detail resource consumption flaws in the HPACK decoder and HTTP/1.1 message parser, respectively. These vulnerabilities could allow remote attackers to cause denial-of-service conditions through memory exhaustion. The affected versions include 5.4.2 and earlier, as well as 5.5-beta1 and earlier. Vypr Intelligence noted these issues among a broader set of Apache vulnerabilities.
Erlang/OTP has seen the disclosure of multiple vulnerabilities affecting its SSL and SFTP modules. CVE-2026-53422 in the ssh_sftpd module allows authenticated SFTP users to enumerate files and directories outside the configured root. CVE-2026-54891 in the ssl module permits network attackers to inject unauthenticated plaintext. CVE-2026-54886, also in ssh_sftpd, can lead to an unresponsive SFTP channel due to an infinite loop. Finally, CVE-2026-55950 in the ssl module's dtls_packet_demux could allow attackers to crash DTLS sessions. Vypr Intelligence highlighted these collectively.
A heap buffer overflow vulnerability, CVE-2026-54696, has been identified in the Ruby JSON gem versions 2.9.0 through 2.19.8. This flaw occurs when the JSON generator is provided with an oversized streamed object during JSON.dump(obj, io) operations, potentially leading to crashes or memory corruption.
Debian systems are affected by multiple vulnerabilities. CVE-2026-54431 and CVE-2026-54430 in liboauth2 involve improper handling of DPoP proofs and Server-Side Request Forgery (SSRF) in the AWS ALB verifier, respectively. Additionally, CVE-2026-58035 in Wikimedia Foundation MediaWiki introduces a Cross-Site Scripting (XSS) vulnerability.
Wasmtime, a WebAssembly runtime, has a vulnerability (CVE-2026-54786) in its native WASIp1 implementation. This affects multiple version ranges and could have security implications for applications relying on Wasmtime for WebAssembly execution.
FreeIPA, an identity management solution, has an off-by-one buffer overflow vulnerability (CVE-2026-14612) in its ipa-otpd oauth2.c file during OAuth2 device authorization. This could lead to memory corruption or crashes.
HPLIP, a printing solution, has an incomplete fix for CVE-2026-8631, leading to a new vulnerability, CVE-2026-14544. This suggests that the original fix was insufficient, and the vulnerability may still be exploitable.
Erlang/OTP ssl has a vulnerability (CVE-2026-55952) where it does not validate the length of the PSK identity list and binder list in a TLS 1.3 ClientHello, potentially leading to issues in session ticket handling.
Erlang/OTP ssl also has a vulnerability (CVE-2026-54887) related to predictable DTLS cookie computation during startup, which could allow for source address verification bypass.
RubyGems has a vulnerability (CVE-2026-54886) in Erlang OTP ssh where an infinite loop can occur, making an SFTP channel unresponsive.
MediaWiki has a Cross-Site Scripting (XSS) vulnerability (CVE-2026-58035) in its Special:Block functionality.
Apache HttpComponents Core has an uncontrolled resource consumption vulnerability (CVE-2026-54399) in its HTTP/1.1 message parser.
Apache HttpComponents Core has an allocation of resources without limits or throttling vulnerability (CVE-2026-54428) in its HTTP/2 HPACK decoder.
Erlang/OTP ssl has a vulnerability (CVE-2026-54891) in its tls_gen_connection module, allowing injection of unauthenticated plaintext.
Erlang/OTP ssl has a vulnerability (CVE-2026-55950) in its dtls_packet_demux module, allowing attackers to crash DTLS sessions.
SSH has a vulnerability (CVE-2026-55952) in Erlang/OTP ssl related to TLS 1.3 ClientHello pre-shared key extensions.
Debian has a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-54430) in liboauth2.
Debian has a vulnerability (CVE-2026-54431) in liboauth2 related to DPoP verifier accepting private key material.
Erlang has a vulnerability (CVE-2026-53422) in its ssh_sftpd module allowing file enumeration.
Ruby JSON has a heap buffer overflow vulnerability (CVE-2026-54696).
Freeipa has an off-by-one buffer overflow vulnerability (CVE-2026-14612).
Hplip has an incomplete fix for CVE-2026-8631 (CVE-2026-14544).
Keycloak has a client scope assignment bypass vulnerability (CVE-2026-14614).
Keycloak has a parent group children endpoint bypass vulnerability (CVE-2026-14615).
Keycloak has a role groups endpoint bypass vulnerability (CVE-2026-14613).