Maven package
org.keycloak/keycloak-server-spi-private
pkg:maven/org.keycloak/keycloak-server-spi-private
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-3190 | Med | 4.3 | < 26.5.6 | 26.5.6 | Mar 26, 2026 | A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection` | |
| CVE-2026-0871 | — | < 26.5.2 | 26.5.2 | Feb 27, 2026 | A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, | ||
| CVE-2023-2585 | — | < 21.1.2 | 21.1.2 | Dec 21, 2023 | Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible | ||
| CVE-2020-10776 | — | < 12.0.0 | 12.0.0 | Nov 17, 2020 | A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. |
- affected < 26.5.6fixed 26.5.6
A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection`
- CVE-2026-0871Feb 27, 2026affected < 26.5.2fixed 26.5.2
A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles,
- CVE-2023-2585Dec 21, 2023affected < 21.1.2fixed 21.1.2
Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malicious OAuth client or possible
- CVE-2020-10776Nov 17, 2020affected < 12.0.0fixed 12.0.0
A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack.