Maven package
org.keycloak/keycloak-services
pkg:maven/org.keycloak/keycloak-services
Vulnerabilities (74)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-2733 | Low | 3.8 | <= 26.5.3 | — | Feb 19, 2026 | A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a r | |
| CVE-2026-1529 | Hig | 8.1 | >= 26.5.0, < 26.5.3 | 26.5.3 | Feb 9, 2026 | A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token (JWT) payload. This lack of cryptographic signature verification allows the attacker to successfully se | |
| CVE-2026-1486 | Hig | 8.8 | >= 26.5.0, < 26.5.3 | 26.5.3 | Feb 9, 2026 | A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration | |
| CVE-2025-14778 | Med | 5.4 | < 26.2.13 | 26.2.13 | Feb 9, 2026 | A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership | |
| CVE-2025-13881 | Low | 2.7 | >= 26.5.0, < 26.5.2 | 26.5.2 | Feb 2, 2026 | A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings. | |
| CVE-2026-1190 | Low | 3.1 | <= 26.5.2 | — | Jan 26, 2026 | A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the | |
| CVE-2025-14083 | Low | 2.7 | <= 26.2.5 | — | Jan 21, 2026 | A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control. | |
| CVE-2025-14559 | Med | 6.5 | >= 26.5.0, < 26.5.2 | 26.5.2 | Jan 21, 2026 | A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implemen | |
| CVE-2026-1035 | Low | 3.1 | <= 26.2.5 | — | Jan 21, 2026 | A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performe | |
| CVE-2025-14082 | Low | 2.7 | < 26.5.0 | 26.5.0 | Dec 10, 2025 | A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint. | |
| CVE-2025-12390 | Med | 6.0 | < 26.0.0 | 26.0.0 | Oct 28, 2025 | A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookie | |
| CVE-2025-12110 | Med | 5.4 | < 26.2.3 | 26.2.3 | Oct 23, 2025 | A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes | |
| CVE-2025-11429 | Med | 5.4 | >= 26.3.0, < 26.4.1 | 26.4.1 | Oct 23, 2025 | A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's | |
| CVE-2025-8419 | — | < 26.2.8 | 26.2.8 | Aug 6, 2025 | A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very sh | ||
| CVE-2025-7784 | Med | 6.5 | >= 26.2.0, < 26.2.6 | 26.2.6 | Jul 18, 2025 | A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. This vulnerability | |
| CVE-2025-7365 | Hig | 7.1 | < 26.0.13 | 26.0.13 | Jul 10, 2025 | A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to mod | |
| CVE-2025-3501 | Hig | 8.2 | < 26.2.2 | 26.2.2 | Apr 29, 2025 | A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended. | |
| CVE-2025-3910 | — | < 26.2.2 | 26.2.2 | Apr 29, 2025 | A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication. | ||
| CVE-2025-2559 | Med | 4.9 | <= 26.1.4 | — | Mar 25, 2025 | A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOf | |
| CVE-2025-1391 | Med | 5.4 | >= 26.1.0, < 26.1.3 | 26.1.3 | Feb 17, 2025 | A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an app |
- affected <= 26.5.3
A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a r
- affected >= 26.5.0, < 26.5.3fixed 26.5.3
A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token (JWT) payload. This lack of cryptographic signature verification allows the attacker to successfully se
- affected >= 26.5.0, < 26.5.3fixed 26.5.3
A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) retrieves the IdP configuration
- affected < 26.2.13fixed 26.2.13
A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). When updating or deleting a UMA policy associated with multiple resources, the authorization check only verifies the caller's ownership
- affected >= 26.5.0, < 26.5.2fixed 26.5.2
A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings.
- affected <= 26.5.2
A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the
- affected <= 26.2.5
A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control.
- affected >= 26.5.0, < 26.5.2fixed 26.5.2
A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implemen
- affected <= 26.2.5
A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performe
- affected < 26.5.0fixed 26.5.0
A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint.
- affected < 26.0.0fixed 26.0.0
A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookie
- affected < 26.2.3fixed 26.2.3
A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes
- affected >= 26.3.0, < 26.4.1fixed 26.4.1
A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's
- CVE-2025-8419Aug 6, 2025affected < 26.2.8fixed 26.2.8
A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very sh
- affected >= 26.2.0, < 26.2.6fixed 26.2.6
A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. This vulnerability
- affected < 26.0.13fixed 26.0.13
A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to mod
- affected < 26.2.2fixed 26.2.2
A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended.
- CVE-2025-3910Apr 29, 2025affected < 26.2.2fixed 26.2.2
A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication.
- affected <= 26.1.4
A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOf
- affected >= 26.1.0, < 26.1.3fixed 26.1.3
A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an app
Page 2 of 4