VYPR

Maven package

org.keycloak/keycloak-services

pkg:maven/org.keycloak/keycloak-services

Vulnerabilities (74)

  • CVE-2026-2733LowFeb 19, 2026
    affected <= 26.5.3

    A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a r

  • CVE-2026-1529HigFeb 9, 2026
    affected >= 26.5.0, < 26.5.3fixed 26.5.3

    A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token (JWT) payload. This lack of cryptographic signature verification allows the attacker to successfully se

  • CVE-2026-1486HigFeb 9, 2026
    affected >= 26.5.0, < 26.5.3fixed 26.5.3

    A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration

  • CVE-2025-14778MedFeb 9, 2026
    affected < 26.2.13fixed 26.2.13

    A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership

  • CVE-2025-13881LowFeb 2, 2026
    affected >= 26.5.0, < 26.5.2fixed 26.5.2

    A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings.

  • CVE-2026-1190LowJan 26, 2026
    affected <= 26.5.2

    A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the

  • CVE-2025-14083LowJan 21, 2026
    affected <= 26.2.5

    A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control.

  • CVE-2025-14559MedJan 21, 2026
    affected >= 26.5.0, < 26.5.2fixed 26.5.2

    A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implemen

  • CVE-2026-1035LowJan 21, 2026
    affected <= 26.2.5

    A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performe

  • CVE-2025-14082LowDec 10, 2025
    affected < 26.5.0fixed 26.5.0

    A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint.

  • CVE-2025-12390MedOct 28, 2025
    affected < 26.0.0fixed 26.0.0

    A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookie

  • CVE-2025-12110MedOct 23, 2025
    affected < 26.2.3fixed 26.2.3

    A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes

  • CVE-2025-11429MedOct 23, 2025
    affected >= 26.3.0, < 26.4.1fixed 26.4.1

    A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's

  • CVE-2025-8419Aug 6, 2025
    affected < 26.2.8fixed 26.2.8

    A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very sh

  • CVE-2025-7784MedJul 18, 2025
    affected >= 26.2.0, < 26.2.6fixed 26.2.6

    A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. This vulnerability

  • CVE-2025-7365HigJul 10, 2025
    affected < 26.0.13fixed 26.0.13

    A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to mod

  • CVE-2025-3501HigApr 29, 2025
    affected < 26.2.2fixed 26.2.2

    A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended.

  • CVE-2025-3910Apr 29, 2025
    affected < 26.2.2fixed 26.2.2

    A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication.

  • CVE-2025-2559MedMar 25, 2025
    affected <= 26.1.4

    A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOf

  • CVE-2025-1391MedFeb 17, 2025
    affected >= 26.1.0, < 26.1.3fixed 26.1.3

    A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an app