VYPR

Maven package

org.keycloak/keycloak-ldap-federation

pkg:maven/org.keycloak/keycloak-ldap-federation

Vulnerabilities (4)

  • CVE-2025-13467MedNov 25, 2025
    affected >= 26.3.0, < 26.4.6fixed 26.4.6

    A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.

  • CVE-2025-0604MedJan 22, 2025
    affected >= 26.1.0, < 26.1.3fixed 26.1.3

    A flaw was found in Keycloak. When an Active Directory user resets their password, the system updates it without performing an LDAP bind to validate the new credentials against AD. This vulnerability allows users whose AD accounts are expired or disabled to regain access in Keycl

  • CVE-2022-2232HigNov 14, 2024
    affected < 23.0.1fixed 23.0.1

    A flaw was found in the Keycloak package. This flaw allows an attacker to utilize an LDAP injection to bypass the username lookup or potentially perform other malicious actions.

  • CVE-2024-5967LowJun 18, 2024
    affected >= 25.0.0, < 25.0.1fixed 25.0.1

    A vulnerability was found in Keycloak. The LDAP testing endpoint allows changing the Connection URL  independently without re-entering the currently configured LDAP bind credentials. This flaw allows an attacker with admin access (permission manage-realm) to change the LDAP host