VYPR

Build Of Keycloak

by Red Hat

Source repositories

CVEs (68)

  • CVE-2026-4325MedApr 2, 2026
    risk 0.27cvss 5.3epss 0.00

    A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed action tokens, such as password…

  • CVE-2026-2575MedMar 18, 2026
    risk 0.27cvss 5.3epss 0.01

    A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading…

  • CVE-2023-3597MedApr 25, 2024
    risk 0.26cvss 5.0epss 0.01

    A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to register a false second authentication factor along with an existing one and…

  • CVE-2026-37978MedMay 19, 2026
    risk 0.25cvss 4.9epss 0.00

    A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable…

  • CVE-2026-9791MedMay 28, 2026
    risk 0.21cvss 4.3epss 0.00

    A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata…

  • CVE-2026-8830MedMay 19, 2026
    risk 0.21cvss 4.3epss 0.00

    A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that the newly created credential's…

  • CVE-2026-3190MedMar 26, 2026
    risk 0.21cvss 4.3epss 0.00

    A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection`…

  • CVE-2026-4874LowMar 26, 2026
    risk 0.20cvss 3.1epss 0.00

    A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the…

  • CVE-2026-37977LowApr 6, 2026
    risk 0.17cvss 3.7epss 0.00

    A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in Keycloak's User-Managed Access (UMA) token endpoint. This flaw occurs because the `azp` claim from a client-supplied JSON Web Token (JWT) is used…

  • CVE-2026-4633LowMar 23, 2026
    risk 0.17cvss 3.7epss 0.00

    A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user…

  • CVE-2026-3911LowMar 11, 2026
    risk 0.11cvss 2.7epss 0.00

    A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This…

  • CVE-2024-5967LowJun 18, 2024
    risk 0.11cvss 2.7epss 0.01

    A vulnerability was found in Keycloak. The LDAP testing endpoint allows changing the Connection URL  independently without re-entering the currently configured LDAP bind credentials. This flaw allows an attacker with admin access (permission manage-realm) to change the LDAP…

  • CVE-2024-8883Sep 19, 2024
    risk 0.01cvss epss 0.02

    A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the…

  • CVE-2025-12150Feb 27, 2026
    risk 0.00cvss epss 0.00

    A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is…

  • CVE-2025-8419Aug 6, 2025
    risk 0.00cvss epss 0.00

    A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very…

  • CVE-2025-5416Jun 20, 2025
    risk 0.00cvss epss 0.00

    A vulnerability has been identified in Keycloak that could lead to unauthorized information disclosure. While it requires an already authenticated user, the /admin/serverinfo endpoint can inadvertently provide sensitive environment information.

  • CVE-2023-6841Sep 10, 2024
    risk 0.00cvss epss 0.01

    A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by sending repeated HTTP requests could cause a resource exhaustion when the application send back rows with long attribute values.

  • CVE-2024-7341Sep 9, 2024
    risk 0.00cvss epss 0.01

    A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session…

  • CVE-2024-7318Sep 9, 2024
    risk 0.00cvss epss 0.00

    A vulnerability was found in Keycloak. Expired OTP codes are still usable when using FreeOTP when the OTP token period is set to 30 seconds (default). Instead of expiring and deemed unusable around 30 seconds in, the tokens are valid for an additional 30 seconds totaling 1…

  • CVE-2024-7260Sep 9, 2024
    risk 0.00cvss epss 0.01

    An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_uri parameters are made to trick a user to visit a malicious webpage. A trusted URL can trick users and automation into believing that the URL is…