VYPR

apk package

chainguard/keycloak-26.5

pkg:apk/chainguard/keycloak-26.5

Vulnerabilities (18)

  • CVE-2026-42577HigMay 13, 2026
    affected < 26.5.7-r1fixed 26.5.7-r1

    Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some

  • CVE-2026-4636HigApr 2, 2026
    affected < 26.5.7-r0fixed 26.5.7-r0

    A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an a

  • CVE-2026-4634HigApr 2, 2026
    affected < 26.5.7-r0fixed 26.5.7-r0

    A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high resource consumption and prolonged process

  • CVE-2026-4325MedApr 2, 2026
    affected < 26.5.7-r0fixed 26.5.7-r0

    A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password re

  • CVE-2026-4282HigApr 2, 2026
    affected < 26.5.7-r0fixed 26.5.7-r0

    A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable ac

  • CVE-2026-3872HigApr 2, 2026
    affected < 26.5.7-r0fixed 26.5.7-r0

    A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting i

  • CVE-2026-33871Mar 27, 2026
    affected < 26.5.6-r3fixed 26.5.6-r3

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit o

  • CVE-2026-33870Mar 27, 2026
    affected < 26.5.6-r2fixed 26.5.6-r2

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final an

  • CVE-2026-4633LowMar 23, 2026
    affected < 26.5.7-r0fixed 26.5.7-r0

    A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user e

  • CVE-2026-3429MedMar 11, 2026
    affected < 26.5.6-r0fixed 26.5.6-r0

    A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the vic

  • CVE-2026-3911LowMar 11, 2026
    affected < 26.5.6-r0fixed 26.5.6-r0

    A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This u

  • CVE-2025-11537MedFeb 10, 2026
    affected < 26.5.6-r3fixed 26.5.6-r3

    A flaw was found in Keycloak. When the logging format is configured to a verbose, user-supplied pattern (such as the pre-defined 'long' pattern), sensitive headers including Authorization and Cookie are disclosed to the logs in cleartext. An attacker with read access to the log f

  • CVE-2026-1190LowJan 26, 2026
    affected < 26.5.3-r0fixed 26.5.3-r0

    A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the

  • CVE-2025-14559MedJan 21, 2026
    affected < 26.5.2-r0fixed 26.5.2-r0

    A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implemen

  • CVE-2026-1002Jan 15, 2026
    affected < 26.5.7-r0fixed 26.5.7-r0

    The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Co

  • CVE-2025-66560Jan 7, 2026
    affected < 26.5.1-r0fixed 26.5.1-r0

    Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. Prior to versions 3.31.0, 3.27.2, and 3.20.5, a vulnerability exists in the HTTP layer of Quarkus REST related to response handling. When a response is being written, the framework waits f

  • CVE-2017-12159HigOct 26, 2017
    affected < 0fixed 0

    It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.

  • CVE-2017-12158MedOct 26, 2017
    affected < 0fixed 0

    It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.