Maven package
org.keycloak/keycloak-model-jpa
pkg:maven/org.keycloak/keycloak-model-jpa
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-3190 | Med | 4.3 | < 26.5.6 | 26.5.6 | Mar 26, 2026 | A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection` | |
| CVE-2023-6563 | — | < 21.0.0 | 21.0.0 | Dec 14, 2023 | An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the | ||
| CVE-2019-14832 | — | < 7.0.1 | 7.0.1 | Oct 15, 2019 | A flaw was found in the Keycloak REST API before version 8.0.0 where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks. |
- affected < 26.5.6fixed 26.5.6
A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection`
- CVE-2023-6563Dec 14, 2023affected < 21.0.0fixed 21.0.0
An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens (> 500,000 users with each having at least 2 saved sessions). If an attacker creates two or more user sessions and then open the
- CVE-2019-14832Oct 15, 2019affected < 7.0.1fixed 7.0.1
A flaw was found in the Keycloak REST API before version 8.0.0 where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks.