VYPR

Maven package

org.keycloak/keycloak-server-spi-private

pkg:maven/org.keycloak/keycloak-server-spi-private

Vulnerabilities (4)

  • CVE-2026-3190MedMar 26, 2026
    affected < 26.5.6fixed 26.5.6

    A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection`

  • CVE-2026-0871Feb 27, 2026
    affected < 26.5.2fixed 26.5.2

    A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles,

  • CVE-2023-2585Dec 21, 2023
    affected < 21.1.2fixed 21.1.2

    Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible

  • CVE-2020-10776Nov 17, 2020
    affected < 12.0.0fixed 12.0.0

    A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack.