Keycloak
Products
3- 104 CVEs
- 1 CVE
- 1 CVE
Recent CVEs
106| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-7474 | Cri | 0.64 | 9.8 | 0.03 | May 12, 2017 | It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks. | ||
| CVE-2014-3709 | Hig | 0.50 | 8.8 | 0.01 | Oct 18, 2017 | The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection. | ||
| CVE-2025-11419 | Hig | 0.49 | 7.5 | 0.01 | Dec 23, 2025 | A flaw was found in Keycloak. This vulnerability allows an unauthenticated remote attacker to cause a denial of service (DoS) by repeatedly initiating TLS 1.2 client-initiated renegotiation requests to exhaust server CPU resources, making the service unavailable. | ||
| CVE-2014-3651 | Hig | 0.49 | 7.5 | 0.02 | Dec 29, 2017 | JBoss KeyCloak before 1.0.3.Final allows remote attackers to cause a denial of service (resource consumption) via a large value in the size parameter to auth/qrcode, related to QR code generation. | ||
| CVE-2017-12159 | Hig | 0.49 | 7.5 | 0.02 | Oct 26, 2017 | It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. | ||
| CVE-2026-9086 | imp | 0.47 | 7.3 | 0.00 | Jun 25, 2026 | keycloak: Keycloak: Cross-site scripting (XSS) via case-insensitive URI validation bypass | ||
| CVE-2026-11577 | Hig | 0.47 | 7.2 | 0.00 | Jun 8, 2026 | A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm… | ||
| CVE-2026-9795 | Hig | 0.47 | 7.3 | 0.00 | May 28, 2026 | A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses… | ||
| CVE-2025-3501 | Hig | 0.46 | 8.2 | 0.00 | Apr 29, 2025 | A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended. | ||
| CVE-2024-10039 | hig | 0.45 | — | 0.00 | Nov 25, 2024 | A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the… | ||
| CVE-2026-9802 | Med | 0.44 | 6.8 | 0.00 | May 28, 2026 | A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even… | ||
| CVE-2026-9704 | Med | 0.44 | 6.8 | 0.00 | May 27, 2026 | A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to… | ||
| CVE-2026-12388 | mod | 0.42 | 6.5 | — | Jun 30, 2026 | keycloak-broker: Keycloak: Privilege escalation to realm administrator via improper authorization in identity provider mapper | ||
| CVE-2026-9705 | mod | 0.42 | 6.5 | 0.00 | Jun 25, 2026 | keycloak: Keycloak: Attacker can re-enable and take over disabled clients via Registration Access Token | ||
| CVE-2026-9796 | Med | 0.42 | 6.5 | 0.00 | May 28, 2026 | A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to `realm-admin` for all users… | ||
| CVE-2026-9792 | Med | 0.42 | 6.5 | 0.00 | May 28, 2026 | A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant`… | ||
| CVE-2026-7307 | Hig | 0.42 | 7.5 | 0.01 | May 19, 2026 | A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS)… | ||
| CVE-2022-2232 | Hig | 0.42 | 7.5 | 0.01 | Nov 14, 2024 | A flaw was found in the Keycloak package. This flaw allows an attacker to utilize an LDAP injection to bypass the username lookup or potentially perform other malicious actions. | ||
| CVE-2026-7571 | Hig | 0.39 | 7.1 | 0.00 | May 19, 2026 | A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session restart, an attacker can… | ||
| CVE-2025-14777 | Med | 0.39 | 6.0 | 0.00 | Dec 16, 2025 | A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer… |
- risk 0.64cvss 9.8epss 0.03
It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks.
- risk 0.50cvss 8.8epss 0.01
The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection.
- risk 0.49cvss 7.5epss 0.01
A flaw was found in Keycloak. This vulnerability allows an unauthenticated remote attacker to cause a denial of service (DoS) by repeatedly initiating TLS 1.2 client-initiated renegotiation requests to exhaust server CPU resources, making the service unavailable.
- risk 0.49cvss 7.5epss 0.02
JBoss KeyCloak before 1.0.3.Final allows remote attackers to cause a denial of service (resource consumption) via a large value in the size parameter to auth/qrcode, related to QR code generation.
- risk 0.49cvss 7.5epss 0.02
It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.
- risk 0.47cvss 7.3epss 0.00
keycloak: Keycloak: Cross-site scripting (XSS) via case-insensitive URI validation bypass
- risk 0.47cvss 7.2epss 0.00
A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm…
- risk 0.47cvss 7.3epss 0.00
A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses…
- risk 0.46cvss 8.2epss 0.00
A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended.
- risk 0.45cvss —epss 0.00
A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the…
- risk 0.44cvss 6.8epss 0.00
A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even…
- risk 0.44cvss 6.8epss 0.00
A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to…
- risk 0.42cvss 6.5epss —
keycloak-broker: Keycloak: Privilege escalation to realm administrator via improper authorization in identity provider mapper
- risk 0.42cvss 6.5epss 0.00
keycloak: Keycloak: Attacker can re-enable and take over disabled clients via Registration Access Token
- risk 0.42cvss 6.5epss 0.00
A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to `realm-admin` for all users…
- risk 0.42cvss 6.5epss 0.00
A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant`…
- risk 0.42cvss 7.5epss 0.01
A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS)…
- risk 0.42cvss 7.5epss 0.01
A flaw was found in the Keycloak package. This flaw allows an attacker to utilize an LDAP injection to bypass the username lookup or potentially perform other malicious actions.
- risk 0.39cvss 7.1epss 0.00
A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session restart, an attacker can…
- risk 0.39cvss 6.0epss 0.00
A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer…