Maven package

org.keycloak/keycloak-services

pkg:maven/org.keycloak/keycloak-services

Vulnerabilities (73)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2026-7500	Med	5.4	<= 26.6.1	—	Apr 30, 2026	When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkA
CVE-2026-37980	Med	6.9	<= 26.5.5	—	Apr 14, 2026	A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with `manage-realm` or `manage-organizations` administrative privileges can exploit a Stored Cross-Site Scripting (XSS) vulnerability. This flaw occurs because the `organization
CVE-2026-37977	Low	3.7	<= 26.5.7	—	Apr 6, 2026	A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in Keycloak's User-Managed Access (UMA) token endpoint. This flaw occurs because the `azp` claim from a client-supplied JSON Web Token (JWT) is used t
CVE-2026-4636	Hig	8.1	< 26.5.7	26.5.7	Apr 2, 2026	A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an a
CVE-2026-4634	Hig	7.5	< 26.5.7	26.5.7	Apr 2, 2026	A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high resource consumption and prolonged process
CVE-2026-4325	Med	5.3	< 26.5.7	26.5.7	Apr 2, 2026	A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password re
CVE-2026-4282	Hig	7.4	< 26.5.7	26.5.7	Apr 2, 2026	A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable ac
CVE-2026-3872	Hig	7.3	< 26.5.7	26.5.7	Apr 2, 2026	A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting i
CVE-2026-3190	Med	4.3	< 26.5.6	26.5.6	Mar 26, 2026	A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection`
CVE-2026-3121	Med	6.5	< 26.5.6	26.5.6	Mar 26, 2026	A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administra
CVE-2026-4874	Low	3.1	<= 26.6.0	—	Mar 26, 2026	A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the
CVE-2026-4633	Low	3.7	>= 26.5.0, < 26.6.0	26.6.0	Mar 23, 2026	A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user e
CVE-2026-4628	Med	4.3	<= 26.6.0	—	Mar 23, 2026	A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of
CVE-2026-2575		—	< 26.5.4	26.5.4	Mar 18, 2026	A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to
CVE-2026-2092		—	>= 26.5.0, < 26.5.5	26.5.5	Mar 18, 2026	A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious
CVE-2026-3429	Med	4.2	<= 26.5.6	—	Mar 11, 2026	A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the vic
CVE-2026-3911	Low	2.7	<= 26.5.5	—	Mar 11, 2026	A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This u
CVE-2026-3009		—	< 26.5.5	26.5.5	Mar 5, 2026	A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request
CVE-2025-12150		—	< 26.4.4	26.4.4	Feb 27, 2026	A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is confi
CVE-2026-2733	Low	3.8	<= 26.5.3	—	Feb 19, 2026	A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a r

CVE-2026-7500MedApr 30, 2026
affected <= 26.6.1
When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations — because they lack the `checkA
CVE-2026-37980MedApr 14, 2026
affected <= 26.5.5
A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with `manage-realm` or `manage-organizations` administrative privileges can exploit a Stored Cross-Site Scripting (XSS) vulnerability. This flaw occurs because the `organization
CVE-2026-37977LowApr 6, 2026
affected <= 26.5.7
A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in Keycloak's User-Managed Access (UMA) token endpoint. This flaw occurs because the `azp` claim from a client-supplied JSON Web Token (JWT) is used t
CVE-2026-4636HigApr 2, 2026
affected < 26.5.7fixed 26.5.7
A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even if the URL path specifies an a
CVE-2026-4634HigApr 2, 2026
affected < 26.5.7fixed 26.5.7
A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high resource consumption and prolonged process
CVE-2026-4325MedApr 2, 2026
affected < 26.5.7fixed 26.5.7
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password re
CVE-2026-4282HigApr 2, 2026
affected < 26.5.7fixed 26.5.7
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to the creation of admin-capable ac
CVE-2026-3872HigApr 2, 2026
affected < 26.5.7fixed 26.5.7
A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft of an access token, resulting i
CVE-2026-3190MedMar 26, 2026
affected < 26.5.6fixed 26.5.6
A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection`
CVE-2026-3121MedMar 26, 2026
affected < 26.5.6fixed 26.5.6
A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administra
CVE-2026-4874LowMar 26, 2026
affected <= 26.6.0
A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the
CVE-2026-4633LowMar 23, 2026
affected >= 26.5.0, < 26.6.0fixed 26.6.0
A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user e
CVE-2026-4628MedMar 23, 2026
affected <= 26.6.0
A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of
CVE-2026-2575Mar 18, 2026
affected < 26.5.4fixed 26.5.4
A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to
CVE-2026-2092Mar 18, 2026
affected >= 26.5.0, < 26.5.5fixed 26.5.5
A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious
CVE-2026-3429MedMar 11, 2026
affected <= 26.5.6
A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the vic
CVE-2026-3911LowMar 11, 2026
affected <= 26.5.5
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This u
CVE-2026-3009Mar 5, 2026
affected < 26.5.5fixed 26.5.5
A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request
CVE-2025-12150Feb 27, 2026
affected < 26.4.4fixed 26.4.4
A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is confi
CVE-2026-2733LowFeb 19, 2026
affected <= 26.5.3
A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a r

Page 1 of 4