apk package
chainguard/keycloak-fips-26.5
pkg:apk/chainguard/keycloak-fips-26.5
Vulnerabilities (19)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42577 | Hig | 7.5 | < 26.5.7-r0 | 26.5.7-r0 | May 13, 2026 | Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some | |
| CVE-2026-4636 | Hig | 8.1 | < 26.5.6-r4 | 26.5.6-r4 | Apr 2, 2026 | A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an a | |
| CVE-2026-4634 | Hig | 7.5 | < 26.5.6-r4 | 26.5.6-r4 | Apr 2, 2026 | A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high resource consumption and prolonged process | |
| CVE-2026-4325 | Med | 5.3 | < 26.5.6-r4 | 26.5.6-r4 | Apr 2, 2026 | A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password re | |
| CVE-2026-4282 | Hig | 7.4 | < 26.5.6-r4 | 26.5.6-r4 | Apr 2, 2026 | A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable ac | |
| CVE-2026-3872 | Hig | 7.3 | < 26.5.6-r4 | 26.5.6-r4 | Apr 2, 2026 | A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting i | |
| CVE-2026-33871 | — | < 26.5.6-r3 | 26.5.6-r3 | Mar 27, 2026 | Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit o | ||
| CVE-2026-33870 | — | < 26.5.6-r2 | 26.5.6-r2 | Mar 27, 2026 | Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final an | ||
| CVE-2026-4874 | Low | 3.1 | < 26.5.6-r4 | 26.5.6-r4 | Mar 26, 2026 | A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the | |
| CVE-2026-4633 | Low | 3.7 | < 26.5.6-r4 | 26.5.6-r4 | Mar 23, 2026 | A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user e | |
| CVE-2026-4628 | Med | 4.3 | < 26.5.6-r4 | 26.5.6-r4 | Mar 23, 2026 | A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of | |
| CVE-2026-3429 | Med | 4.2 | < 26.5.6-r0 | 26.5.6-r0 | Mar 11, 2026 | A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the vic | |
| CVE-2026-3911 | Low | 2.7 | < 26.5.6-r0 | 26.5.6-r0 | Mar 11, 2026 | A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This u | |
| CVE-2026-2733 | Low | 3.8 | < 26.5.4-r0 | 26.5.4-r0 | Feb 19, 2026 | A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a r | |
| CVE-2025-11537 | Med | 5.0 | < 26.5.6-r4 | 26.5.6-r4 | Feb 10, 2026 | A flaw was found in Keycloak. When the logging format is configured to a verbose, user-supplied pattern (such as the pre-defined 'long' pattern), sensitive headers including Authorization and Cookie are disclosed to the logs in cleartext. An attacker with read access to the log f | |
| CVE-2026-1190 | Low | 3.1 | < 26.5.3-r0 | 26.5.3-r0 | Jan 26, 2026 | A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the | |
| CVE-2025-14559 | Med | 6.5 | < 26.5.2-r0 | 26.5.2-r0 | Jan 21, 2026 | A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implemen | |
| CVE-2026-1002 | — | < 26.5.7-r0 | 26.5.7-r0 | Jan 15, 2026 | The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Co | ||
| CVE-2025-66560 | — | < 26.5.2-r0 | 26.5.2-r0 | Jan 7, 2026 | Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. Prior to versions 3.31.0, 3.27.2, and 3.20.5, a vulnerability exists in the HTTP layer of Quarkus REST related to response handling. When a response is being written, the framework waits f |
- affected < 26.5.7-r0fixed 26.5.7-r0
Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some
- affected < 26.5.6-r4fixed 26.5.6-r4
A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an a
- affected < 26.5.6-r4fixed 26.5.6-r4
A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high resource consumption and prolonged process
- affected < 26.5.6-r4fixed 26.5.6-r4
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password re
- affected < 26.5.6-r4fixed 26.5.6-r4
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable ac
- affected < 26.5.6-r4fixed 26.5.6-r4
A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting i
- CVE-2026-33871Mar 27, 2026affected < 26.5.6-r3fixed 26.5.6-r3
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, a remote user can trigger a Denial of Service (DoS) against a Netty HTTP/2 server by sending a flood of `CONTINUATION` frames. The server's lack of a limit o
- CVE-2026-33870Mar 27, 2026affected < 26.5.6-r2fixed 26.5.6-r2
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.132.Final and 4.2.10.Final, Netty incorrectly parses quoted strings in HTTP/1.1 chunked transfer encoding extension values, enabling request smuggling attacks. Versions 4.1.132.Final an
- affected < 26.5.6-r4fixed 26.5.6-r4
A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the
- affected < 26.5.6-r4fixed 26.5.6-r4
A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user e
- affected < 26.5.6-r4fixed 26.5.6-r4
A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of
- affected < 26.5.6-r0fixed 26.5.6-r0
A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the vic
- affected < 26.5.6-r0fixed 26.5.6-r0
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This u
- affected < 26.5.4-r0fixed 26.5.4-r0
A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a r
- affected < 26.5.6-r4fixed 26.5.6-r4
A flaw was found in Keycloak. When the logging format is configured to a verbose, user-supplied pattern (such as the pre-defined 'long' pattern), sensitive headers including Authorization and Cookie are disclosed to the logs in cleartext. An attacker with read access to the log f
- affected < 26.5.3-r0fixed 26.5.3-r0
A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the
- affected < 26.5.2-r0fixed 26.5.2-r0
A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implemen
- CVE-2026-1002Jan 15, 2026affected < 26.5.7-r0fixed 26.5.7-r0
The Vert.x Web static handler component cache can be manipulated to deny the access to static files served by the handler using specifically crafted request URI. The issue comes from an improper implementation of the C. rule of section 5.2.4 of RFC3986 and is fixed in Vert.x Co
- CVE-2025-66560Jan 7, 2026affected < 26.5.2-r0fixed 26.5.2-r0
Quarkus is a Cloud Native, (Linux) Container First framework for writing Java applications. Prior to versions 3.31.0, 3.27.2, and 3.20.5, a vulnerability exists in the HTTP layer of Quarkus REST related to response handling. When a response is being written, the framework waits f