VYPR

Keycloak

by Red Hat

Source repositories

CVEs (45)

  • CVE-2017-2646HigJul 27, 2018
    risk 0.49cvss 7.5epss 0.02

    It was found that when Keycloak before 2.5.5 receives a Logout request with a Extensions in the middle of the request, the SAMLSloRequestParser.parse() method ends in a infinite loop. An attacker could use this flaw to conduct denial of service attacks.

  • CVE-2026-9795HigMay 28, 2026
    risk 0.47cvss 7.3epss 0.00

    A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses…

  • CVE-2017-12160HigOct 26, 2017
    risk 0.47cvss 7.2epss 0.02

    It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission revocation. An attacker on an already compromised resource could use this flaw to…

  • CVE-2026-7504HigMay 19, 2026
    risk 0.46cvss 8.1epss 0.01

    A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information within the domain or…

  • CVE-2026-4630MedMay 19, 2026
    risk 0.44cvss 6.8epss 0.00

    A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier (UUID) belonging to another Resource Server…

  • CVE-2026-7507HigMay 19, 2026
    risk 0.42cvss 7.5epss 0.00

    A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leveraging the…

  • CVE-2025-14777MedDec 16, 2025
    risk 0.39cvss 6.0epss 0.00

    A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer…

  • CVE-2025-7365HigJul 10, 2025
    risk 0.39cvss 7.1epss 0.00

    A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to…

  • CVE-2023-48795MedDec 18, 2023
    risk 0.39cvss 5.9epss 0.93

    The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently…

  • CVE-2026-9793MedMay 28, 2026
    risk 0.38cvss 5.9epss 0.00

    A flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This allows a remote attacker to submit…

  • CVE-2026-37982MedMay 19, 2026
    risk 0.37cvss 6.8epss 0.00

    A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own…

  • CVE-2026-9087MedMay 20, 2026
    risk 0.35cvss 6.4epss 0.00

    A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local…

  • CVE-2026-9803MedMay 28, 2026
    risk 0.34cvss 5.3epss 0.00

    A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authorization: Bearer' header to any client registration endpoint. This can lead to an…

  • CVE-2026-11986MedJun 11, 2026
    risk 0.32cvss 4.9epss 0.00

    A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role mappings. This allows a…

  • CVE-2026-9801MedMay 28, 2026
    risk 0.32cvss 4.9epss 0.00

    A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a…

  • CVE-2026-37981MedMay 19, 2026
    risk 0.28cvss 4.3epss 0.00

    A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally identifiable information (PII) for…

  • CVE-2018-10894MedAug 1, 2018
    risk 0.28cvss 5.4epss 0.00

    It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. A malicious user could use this to access unauthorized data or possibly conduct further attacks.

  • CVE-2026-9689MedMay 27, 2026
    risk 0.27cvss 4.2epss 0.00

    A flaw was found in Keycloak, an open-source identity and access management solution. When a client application is configured to accept broad redirect Uniform Resource Identifiers (URIs), a remote attacker can manipulate the authentication process by crafting a special web…

  • CVE-2026-37978MedMay 19, 2026
    risk 0.25cvss 4.9epss 0.00

    A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable…

  • CVE-2026-9791MedMay 28, 2026
    risk 0.21cvss 4.3epss 0.00

    A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata…

Page 1 of 3