VYPR

Maven package

org.keycloak/keycloak-parent

pkg:maven/org.keycloak/keycloak-parent

Vulnerabilities (25)

  • CVE-2026-1518LowFeb 2, 2026
    affected <= 26.5.2

    A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services.

  • CVE-2026-0707MedJan 8, 2026
    affected <= 26.5.0

    A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 spe

  • CVE-2022-4137Sep 25, 2023
    affected < 20.0.5fixed 20.0.5

    A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a

  • CVE-2022-3916Sep 20, 2023
    affected < 20.0.2fixed 20.0.2

    A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enab

  • CVE-2022-3782Jan 11, 2023
    affected < 20.0.2fixed 20.0.2

    keycloak: path traversal via double URL encoding. A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive inf

  • CVE-2022-2256Sep 1, 2022
    affected < 19.0.2fixed 19.0.2

    A Stored Cross-site scripting (XSS) vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality.

  • CVE-2021-3513Aug 22, 2022
    affected < 13.0.0fixed 13.0.0

    A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality.

  • CVE-2022-2668Aug 5, 2022
    affected < 19.0.2fixed 19.0.2

    An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled

  • CVE-2021-3461Apr 1, 2022
    affected < 14.0.0fixed 14.0.0

    A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name].

  • CVE-2021-20222Mar 23, 2021
    affected >= 9.0.0, < 12.0.3fixed 12.0.3

    A flaw was found in keycloak. The new account console in keycloak can allow malicious code to be executed using the referrer URL. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

  • CVE-2020-1717Feb 11, 2021
    affected <= 7.0.1

    A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack.

  • CVE-2020-1725Jan 28, 2021
    affected < 13.0.0fixed 13.0.0

    A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token.

  • CVE-2020-14366Nov 9, 2020
    affected < 12.0.0fixed 12.0.0

    A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the resources endpoint applies a transformation of the url path to the file path. Only few specific folder hierarchies can be exposed by this flaw

  • CVE-2020-1694Sep 16, 2020
    affected < 10.0.0fixed 10.0.0

    A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions.

  • CVE-2020-10748Sep 16, 2020
    affected < 10.0.2fixed 10.0.2

    A flaw was found in Keycloak's data filter, in version 10.0.1, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks.

  • CVE-2020-10758Sep 16, 2020
    affected < 11.0.1fixed 11.0.1

    A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body.

  • CVE-2020-1758May 15, 2020
    affected < 10.0.0fixed 10.0.0

    A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack.

  • CVE-2020-1718May 12, 2020
    affected < 8.0.0fixed 8.0.0

    A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized access to the application.

  • CVE-2019-14910Dec 5, 2019
    affected >= 7.0.0, <= 7.0.1

    A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered.

  • CVE-2019-14909Dec 4, 2019
    affected >= 7.0.0, <= 7.0.1

    A vulnerability was found in Keycloak 7.x where the user federation LDAP bind type is none (LDAP anonymous bind), any password, invalid or valid will be accepted.

Page 1 of 2