Keycloak
by Keycloak
Source repositories
CVEs (104)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-11429 | Med | 0.28 | 5.4 | 0.00 | Oct 23, 2025 | A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the… | ||
| CVE-2025-1391 | Med | 0.28 | 5.4 | 0.00 | Feb 17, 2025 | A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an… | ||
| CVE-2026-9794 | Med | 0.27 | 5.3 | 0.00 | May 28, 2026 | A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs. By observing distinct… | ||
| CVE-2026-9689 | Med | 0.27 | 4.2 | 0.00 | May 27, 2026 | A flaw was found in Keycloak, an open-source identity and access management solution. When a client application is configured to accept broad redirect Uniform Resource Identifiers (URIs), a remote attacker can manipulate the authentication process by crafting a special web… | ||
| CVE-2026-0707 | Med | 0.27 | 5.3 | 0.00 | Jan 8, 2026 | A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750… | ||
| CVE-2026-37978 | Med | 0.25 | 4.9 | 0.00 | May 19, 2026 | A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable… | ||
| CVE-2024-4028 | Low | 0.25 | 3.8 | 0.00 | Feb 18, 2025 | A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack. | ||
| CVE-2024-11736 | Med | 0.25 | 4.9 | 0.01 | Jan 14, 2025 | A vulnerability was found in Keycloak. Admin users may have to access sensitive server environment variables and system properties through user-configurable URLs. When configuring backchannel logout URLs or admin URLs, admin users can include placeholders like ${env.VARNAME} or… | ||
| CVE-2025-10939 | Low | 0.24 | 3.7 | 0.00 | Oct 28, 2025 | A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application… | ||
| CVE-2023-0657 | Low | 0.22 | 3.4 | 0.00 | Nov 17, 2024 | A flaw was found in Keycloak. This issue occurs due to improperly enforcing token types when validating signatures locally. This could allow an authenticated attacker to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions. | ||
| CVE-2026-9791 | Med | 0.21 | 4.3 | 0.00 | May 28, 2026 | A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata… | ||
| CVE-2026-8830 | Med | 0.21 | 4.3 | 0.00 | May 19, 2026 | A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that the newly created credential's… | ||
| CVE-2025-10044 | Med | 0.21 | 4.3 | 0.00 | Sep 5, 2025 | A flaw was found in Keycloak. Keycloak’s account console and other pages accept arbitrary text in the error_description query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft… | ||
| CVE-2026-6856 | low | 0.20 | 3.1 | — | Apr 13, 2026 | keycloak: keycloak: acceptable AAGUID policy bypass via packed self-attestation in WebAuthn registration | ||
| CVE-2026-1035 | Low | 0.20 | 3.1 | 0.00 | Jan 21, 2026 | A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not… | ||
| CVE-2026-1518 | Low | 0.18 | 2.7 | 0.00 | Feb 2, 2026 | A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services. | ||
| CVE-2025-14083 | Low | 0.18 | 2.7 | 0.00 | Jan 21, 2026 | A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control. | ||
| CVE-2026-3911 | Low | 0.11 | 2.7 | 0.00 | Mar 11, 2026 | A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This… | ||
| CVE-2025-14082 | Low | 0.11 | 2.7 | 0.00 | Dec 10, 2025 | A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint. | ||
| CVE-2024-10492 | Low | 0.11 | 2.7 | 0.01 | Nov 25, 2024 | A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example,… |
- risk 0.28cvss 5.4epss 0.00
A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the…
- risk 0.28cvss 5.4epss 0.00
A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an…
- risk 0.27cvss 5.3epss 0.00
A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs. By observing distinct…
- risk 0.27cvss 4.2epss 0.00
A flaw was found in Keycloak, an open-source identity and access management solution. When a client application is configured to accept broad redirect Uniform Resource Identifiers (URIs), a remote attacker can manipulate the authentication process by crafting a special web…
- risk 0.27cvss 5.3epss 0.00
A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750…
- risk 0.25cvss 4.9epss 0.00
A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable…
- risk 0.25cvss 3.8epss 0.00
A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack.
- risk 0.25cvss 4.9epss 0.01
A vulnerability was found in Keycloak. Admin users may have to access sensitive server environment variables and system properties through user-configurable URLs. When configuring backchannel logout URLs or admin URLs, admin users can include placeholders like ${env.VARNAME} or…
- risk 0.24cvss 3.7epss 0.00
A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application…
- risk 0.22cvss 3.4epss 0.00
A flaw was found in Keycloak. This issue occurs due to improperly enforcing token types when validating signatures locally. This could allow an authenticated attacker to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.
- risk 0.21cvss 4.3epss 0.00
A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata…
- risk 0.21cvss 4.3epss 0.00
A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that the newly created credential's…
- risk 0.21cvss 4.3epss 0.00
A flaw was found in Keycloak. Keycloak’s account console and other pages accept arbitrary text in the error_description query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft…
- risk 0.20cvss 3.1epss —
keycloak: keycloak: acceptable AAGUID policy bypass via packed self-attestation in WebAuthn registration
- risk 0.20cvss 3.1epss 0.00
A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not…
- risk 0.18cvss 2.7epss 0.00
A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services.
- risk 0.18cvss 2.7epss 0.00
A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control.
- risk 0.11cvss 2.7epss 0.00
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This…
- risk 0.11cvss 2.7epss 0.00
A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint.
- risk 0.11cvss 2.7epss 0.01
A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example,…
Page 3 of 6