VYPR

apk package

chainguard/keycloak-26.2

pkg:apk/chainguard/keycloak-26.2

Vulnerabilities (11)

  • CVE-2025-67735Dec 16, 2025
    affected < 26.2.5-r8fixed 26.2.5-r8

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh

  • CVE-2025-14082LowDec 10, 2025
    affected < 26.2.5-r7fixed 26.2.5-r7

    A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint.

  • CVE-2025-13467MedNov 25, 2025
    affected < 26.2.5-r7fixed 26.2.5-r7

    A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.

  • CVE-2025-11538MedNov 13, 2025
    affected < 26.2.5-r7fixed 26.2.5-r7

    A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug ) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker

  • CVE-2025-12390MedOct 28, 2025
    affected < 26.2.5-r6fixed 26.2.5-r6

    A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookie

  • CVE-2025-59250Oct 14, 2025
    affected < 0fixed 0

    Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network.

  • CVE-2025-58057Sep 3, 2025
    affected < 26.2.5-r2fixed 26.2.5-r2

    Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with s

  • CVE-2025-58056Sep 3, 2025
    affected < 26.2.5-r3fixed 26.2.5-r3

    Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a ch

  • CVE-2025-55163Aug 13, 2025
    affected < 26.2.5-r1fixed 26.2.5-r1

    Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the

  • CVE-2017-12159HigOct 26, 2017
    affected < 0fixed 0

    It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.

  • CVE-2017-12158MedOct 26, 2017
    affected < 0fixed 0

    It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.