VYPR

Keycloak

by Red Hat

Source repositories

CVEs (45)

  • CVE-2026-9088LowJun 5, 2026
    risk 0.18cvss 2.7epss 0.00

    A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured…

  • CVE-2016-8609LowAug 1, 2018
    risk 0.17cvss 3.7epss 0.02

    It was found that the keycloak before 2.3.0 did not implement authentication flow correctly. An attacker could use this flaw to construct a phishing URL, from which he could hijack the user's session. This could lead to information disclosure, or permit further possible attacks.

  • CVE-2023-0264Aug 4, 2023
    risk 0.00cvss epss 0.01

    A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated attacker who could obtain information from a user request within the same realm could use that data to impersonate the victim and generate new session…

  • CVE-2023-0105Jan 11, 2023
    risk 0.00cvss epss 0.01

    A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Keycloak. An attacker can shadow other users with the same email and lockout or impersonate them.

  • CVE-2023-0091Jan 11, 2023
    risk 0.00cvss epss 0.00

    A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. This flaw allows an attacker to access or modify potentially sensitive information.

  • CVE-2022-3782Jan 11, 2023
    risk 0.00cvss epss 0.06

    keycloak: path traversal via double URL encoding. A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive…

  • CVE-2020-14366Nov 9, 2020
    risk 0.00cvss epss 0.01

    A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the resources endpoint applies a transformation of the url path to the file path. Only few specific folder hierarchies can be exposed by this flaw

  • CVE-2020-1758May 15, 2020
    risk 0.00cvss epss 0.01

    A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack.

  • CVE-2020-1714May 13, 2020
    risk 0.00cvss epss 0.03

    A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. This flaw allows an attacker to inject arbitrarily serialized Java Objects, which would then get deserialized in a privileged context and potentially…

  • CVE-2020-1718May 12, 2020
    risk 0.00cvss epss 0.01

    A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthorized access to the application.

  • CVE-2020-1724May 11, 2020
    risk 0.00cvss epss 0.01

    A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the personal information of a previously logged out user in the account manager section.

  • CVE-2020-1698May 11, 2020
    risk 0.00cvss epss 0.00

    A flaw was found in keycloak in versions before 9.0.0. A logged exception in the HttpMethod class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality.

  • CVE-2020-1744Mar 24, 2020
    risk 0.00cvss epss 0.01

    A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this…

  • CVE-2020-1731Mar 2, 2020
    risk 0.00cvss epss 0.01

    A flaw was found in all versions of the Keycloak operator, before version 8.0.2,(community only) where the operator generates a random admin password when installing Keycloak, however the password remains the same when deployed to the same OpenShift namespace.

  • CVE-2020-1697Feb 10, 2020
    risk 0.00cvss epss 0.01

    It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly…

  • CVE-2019-14837Jan 7, 2020
    risk 0.00cvss epss 0.02

    A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be…

  • CVE-2019-10201Aug 14, 2019
    risk 0.00cvss epss 0.01

    It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the sections, the message is still accepted, and the message can be modified. An attacker could use this…

  • CVE-2019-10199Aug 14, 2019
    risk 0.00cvss epss 0.01

    It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain.

  • CVE-2019-3875Jun 12, 2019
    risk 0.00cvss epss 0.00

    A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates through the CRL, where the CRL list can be obtained from the URL provided in the certificate itself (CDP) or through the separately configured path. The…

  • CVE-2019-10157Jun 12, 2019
    risk 0.00cvss epss 0.00

    It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . An attacker with local access could use this to construct a malicious web token setting an NBF parameter that could…