VYPR

Maven package

org.keycloak/keycloak-quarkus-server

pkg:maven/org.keycloak/keycloak-quarkus-server

Vulnerabilities (9)

  • CVE-2025-11537MedFeb 10, 2026
    affected < 26.5.6fixed 26.5.6

    A flaw was found in Keycloak. When the logging format is configured to a verbose, user-supplied pattern (such as the pre-defined 'long' pattern), sensitive headers including Authorization and Cookie are disclosed to the logs in cleartext. An attacker with read access to the log f

  • CVE-2026-0976LowJan 15, 2026
    affected <= 26.2.5

    A flaw was found in Keycloak. This improper input validation vulnerability occurs because Keycloak accepts RFC-compliant matrix parameters in URL path segments, while common reverse proxy configurations may ignore or mishandle them. A remote attacker can craft requests to mask pa

  • CVE-2025-10939LowOct 28, 2025
    affected < 26.4.4fixed 26.4.4

    A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application pat

  • CVE-2024-11736MedJan 14, 2025
    affected < 26.0.8fixed 26.0.8

    A vulnerability was found in Keycloak. Admin users may have to access sensitive server environment variables and system properties through user-configurable URLs. When configuring backchannel logout URLs or admin URLs, admin users can include placeholders like ${env.VARNAME} or $

  • CVE-2024-11734MedJan 14, 2025
    affected < 26.0.8fixed 26.0.8

    A denial of service vulnerability was found in Keycloak that could allow an administrative user with the right to change realm settings to disrupt the service. This action is done by modifying any of the security headers and inserting newlines, which causes the Keycloak server to

  • CVE-2024-10973MedDec 17, 2024
    affected >= 25.0.0, < 26.0.6fixed 26.0.6

    A vulnerability was found in Keycloak. The environment option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the JGroups replication configuration is always used in plain text which can allow an attacker that has access to adjacent networks related to JGroups to read sensitiv

  • CVE-2024-9666MedNov 25, 2024
    affected >= 0

    A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identif

  • CVE-2024-10492LowNov 25, 2024
    affected < 26.0.6fixed 26.0.6

    A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example, a

  • CVE-2024-10451MedNov 25, 2024
    affected < 24.0.9fixed 24.0.9

    A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data specifie