apk package
wolfi/keycloak-26.4
pkg:apk/wolfi/keycloak-26.4
Vulnerabilities (11)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-42577 | Hig | 7.5 | < 26.4.7-r9 | 26.4.7-r9 | May 13, 2026 | Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some | |
| CVE-2025-67735 | — | < 26.4.7-r1 | 26.4.7-r1 | Dec 16, 2025 | Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh | ||
| CVE-2025-66021 | — | < 26.4.7-r3 | 26.4.7-r3 | Nov 26, 2025 | OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version 20240325.1, OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows n | ||
| CVE-2025-12390 | Med | 6.0 | < 26.4.4-r0 | 26.4.4-r0 | Oct 28, 2025 | A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookie | |
| CVE-2025-10939 | Low | 3.7 | < 26.4.4-r0 | 26.4.4-r0 | Oct 28, 2025 | A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application pat | |
| CVE-2025-11429 | Med | 5.4 | < 26.4.2-r0 | 26.4.2-r0 | Oct 23, 2025 | A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's | |
| CVE-2025-11965 | — | < 26.4.7-r0 | 26.4.7-r0 | Oct 22, 2025 | In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], a StaticHandler configuration for restricting access to hidden files fails to restrict access to hidden directories, allowing unauthorized users to retrieve files within them (e.g. '.git/config'). | ||
| CVE-2025-11966 | — | < 26.4.7-r0 | 26.4.7-r0 | Oct 22, 2025 | In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when "directory listing" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories | ||
| CVE-2025-59250 | — | < 26.4.7-r0 | 26.4.7-r0 | Oct 14, 2025 | Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network. | ||
| CVE-2017-12159 | Hig | 7.5 | < 0 | 0 | Oct 26, 2017 | It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. | |
| CVE-2017-12158 | Med | 5.4 | < 0 | 0 | Oct 26, 2017 | It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. |
- affected < 26.4.7-r9fixed 26.4.7-r9
Netty is an asynchronous, event-driven network application framework. From 4.2.0.Final to 4.2.13.Final , Netty's epoll transport fails to detect and close TCP connections that receive a RST after being half-closed, leading to stale channels that are never cleaned up and, in some
- CVE-2025-67735Dec 16, 2025affected < 26.4.7-r1fixed 26.4.7-r1
Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh
- CVE-2025-66021Nov 26, 2025affected < 26.4.7-r3fixed 26.4.7-r3
OWASP Java HTML Sanitizer is a configureable HTML Sanitizer written in Java, allowing inclusion of HTML authored by third-parties in web applications while protecting against XSS. In version 20240325.1, OWASP java html sanitizer is vulnerable to XSS if HtmlPolicyBuilder allows n
- affected < 26.4.4-r0fixed 26.4.4-r0
A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookie
- affected < 26.4.4-r0fixed 26.4.4-r0
A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application pat
- affected < 26.4.2-r0fixed 26.4.2-r0
A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's
- CVE-2025-11965Oct 22, 2025affected < 26.4.7-r0fixed 26.4.7-r0
In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], a StaticHandler configuration for restricting access to hidden files fails to restrict access to hidden directories, allowing unauthorized users to retrieve files within them (e.g. '.git/config').
- CVE-2025-11966Oct 22, 2025affected < 26.4.7-r0fixed 26.4.7-r0
In Eclipse Vert.x versions [4.0.0, 4.5.21] and [5.0.0, 5.0.4], when "directory listing" is enabled, file and directory names are inserted into generated HTML without proper escaping in the href, title, and link attributes. An attacker who can create or rename files or directories
- CVE-2025-59250Oct 14, 2025affected < 26.4.7-r0fixed 26.4.7-r0
Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network.
- affected < 0fixed 0
It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.
- affected < 0fixed 0
It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.