VYPR

Keycloak

by Keycloak

Source repositories

CVEs (104)

  • CVE-2026-4366MedMar 18, 2026
    risk 0.38cvss 5.8epss 0.00

    A flaw was identified in Keycloak, an identity and access management solution, where it improperly follows HTTP redirects when processing certain client configuration requests. This behavior allows an attacker to trick the server into making unintended requests to internal or…

  • CVE-2026-37982MedMay 19, 2026
    risk 0.37cvss 6.8epss 0.00

    A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own…

  • CVE-2025-11538MedNov 13, 2025
    risk 0.37cvss 6.8epss 0.00

    A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug ) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker…

  • CVE-2026-9087MedMay 20, 2026
    risk 0.35cvss 6.4epss 0.00

    A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local…

  • CVE-2026-37979MedMay 19, 2026
    risk 0.35cvss 6.5epss 0.00

    A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims…

  • CVE-2025-0604MedJan 22, 2025
    risk 0.35cvss 5.4epss 0.01

    A flaw was found in Keycloak. When an Active Directory user resets their password, the system updates it without performing an LDAP bind to validate the new credentials against AD. This vulnerability allows users whose AD accounts are expired or disabled to regain access in…

  • CVE-2024-11734MedJan 14, 2025
    risk 0.35cvss 6.5epss 0.01

    A denial of service vulnerability was found in Keycloak that could allow an administrative user with the right to change realm settings to disrupt the service. This action is done by modifying any of the security headers and inserting newlines, which causes the Keycloak server…

  • CVE-2024-10270MedNov 25, 2024
    risk 0.35cvss 6.5epss 0.01

    A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity.

  • CVE-2017-12158MedOct 26, 2017
    risk 0.35cvss 5.4epss 0.01

    It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.

  • CVE-2026-9083modJun 25, 2026
    risk 0.32cvss 4.9epss 0.01

    keycloak: Keycloak: Information disclosure through arbitrary filesystem path probing

  • CVE-2025-12390MedOct 28, 2025
    risk 0.32cvss 6.0epss 0.00

    A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser…

  • CVE-2025-9162MedAug 21, 2025
    risk 0.32cvss 4.9epss 0.00

    A flaw was found in org.keycloak/keycloak-model-storage-service. The KeycloakRealmImport custom resource substitutes placeholders within imported realm documents, potentially referencing environment variables. This substitution process allows for injection attacks when crafted…

  • CVE-2025-2559MedMar 25, 2025
    risk 0.32cvss 4.9epss 0.01

    A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an…

  • CVE-2024-9666MedNov 25, 2024
    risk 0.31cvss 4.7epss 0.00

    A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated…

  • CVE-2024-10451MedNov 25, 2024
    risk 0.31cvss 5.9epss 0.01

    A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data…

  • CVE-2024-10973MedDec 17, 2024
    risk 0.30cvss 5.7epss 0.00

    A vulnerability was found in Keycloak. The environment option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the JGroups replication configuration is always used in plain text which can allow an attacker that has access to adjacent networks related to JGroups to read…

  • CVE-2025-13467MedNov 25, 2025
    risk 0.29cvss 5.5epss 0.00

    A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.

  • CVE-2026-9798MedMay 28, 2026
    risk 0.28cvss 4.3epss 0.00

    A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA)…

  • CVE-2026-8922MedMay 19, 2026
    risk 0.28cvss 5.4epss 0.00

    A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain…

  • CVE-2025-12110MedOct 23, 2025
    risk 0.28cvss 5.4epss 0.00

    A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes…

Page 2 of 6