Vendor
Keycloak
Products
2
CVEs
32
Across products
42
Status
Private
Products
2- 31 CVEs
- 11 CVEs
Recent CVEs
32| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-7474 | Cri | 0.64 | 9.8 | 0.02 | May 12, 2017 | It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks. | |
| CVE-2014-3709 | Hig | 0.50 | 8.8 | 0.00 | Oct 18, 2017 | The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection. | |
| CVE-2025-11419 | Hig | 0.49 | 7.5 | 0.00 | Dec 23, 2025 | A flaw was found in Keycloak. This vulnerability allows an unauthenticated remote attacker to cause a denial of service (DoS) by repeatedly initiating TLS 1.2 client-initiated renegotiation requests to exhaust server CPU resources, making the service unavailable. | |
| CVE-2014-3651 | Hig | 0.49 | 7.5 | 0.01 | Dec 29, 2017 | JBoss KeyCloak before 1.0.3.Final allows remote attackers to cause a denial of service (resource consumption) via a large value in the size parameter to auth/qrcode, related to QR code generation. | |
| CVE-2017-12159 | Hig | 0.49 | 7.5 | 0.01 | Oct 26, 2017 | It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. | |
| CVE-2026-37980 | Med | 0.45 | 6.9 | 0.00 | Apr 14, 2026 | A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with `manage-realm` or `manage-organizations` administrative privileges can exploit a Stored Cross-Site Scripting (XSS) vulnerability. This flaw occurs because the `organization.alias` is placed into an inline JavaScript `onclick` handler, allowing a crafted JavaScript payload to execute in a user's browser when they view the login page. Successful exploitation enables arbitrary JavaScript execution, potentially leading to session theft, unauthorized account actions, or further attacks against users of the affected realm. | |
| CVE-2025-14777 | Med | 0.39 | 6.0 | 0.00 | Dec 16, 2025 | A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer (client) ID provided in the API request, but the backend database lookup and modification operations (findById, delete) only use the resourceId. This mismatch allows an authenticated attacker with fine-grained admin permissions for one client (e.g., Client A) to delete or update resources belonging to another client (Client B) within the same realm by supplying a valid resource ID. | |
| CVE-2026-1180 | Med | 0.38 | 5.8 | 0.00 | Jan 20, 2026 | A flaw was identified in Keycloak’s OpenID Connect Dynamic Client Registration feature when clients authenticate using private_key_jwt. The issue allows a client to specify an arbitrary jwks_uri, which Keycloak then retrieves without validating the destination. This enables attackers to coerce the Keycloak server into making HTTP requests to internal or restricted network resources. As a result, attackers can probe internal services and cloud metadata endpoints, creating an information disclosure and reconnaissance risk. | |
| CVE-2025-11538 | Med | 0.37 | 6.8 | 0.00 | Nov 13, 2025 | A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug <port>) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker on the same network segment to attach a remote debugger and achieve remote code execution within the Keycloak Java virtual machine. | |
| CVE-2025-14559 | Med | 0.35 | 6.5 | 0.00 | Jan 21, 2026 | A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a privileged client invokes the token exchange flow. | |
| CVE-2017-12158 | Med | 0.35 | 5.4 | 0.01 | Oct 26, 2017 | It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. | |
| CVE-2026-0707 | Med | 0.34 | 5.3 | 0.00 | Jan 8, 2026 | A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications. | |
| CVE-2025-12390 | Med | 0.32 | 6.0 | 0.00 | Oct 28, 2025 | A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user. | |
| CVE-2025-9162 | Med | 0.32 | 4.9 | 0.00 | Aug 21, 2025 | A flaw was found in org.keycloak/keycloak-model-storage-service. The KeycloakRealmImport custom resource substitutes placeholders within imported realm documents, potentially referencing environment variables. This substitution process allows for injection attacks when crafted realm documents are processed. An attacker can leverage this to inject malicious content during the realm import procedure. This can lead to unintended consequences within the Keycloak environment. | |
| CVE-2025-13467 | Med | 0.29 | 5.5 | 0.00 | Nov 25, 2025 | A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration. | |
| CVE-2025-12110 | Med | 0.28 | 5.4 | 0.00 | Oct 23, 2025 | A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are. | |
| CVE-2025-11429 | Med | 0.28 | 5.4 | 0.00 | Oct 23, 2025 | A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session expiration logic relying on the session-local "remember-me" flag without validating the current realm-level configuration. | |
| CVE-2025-10044 | Med | 0.28 | 4.3 | 0.00 | Sep 5, 2025 | A flaw was found in Keycloak. Keycloak’s account console and other pages accept arbitrary text in the error_description query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading messages (e.g., fake support phone numbers or URLs), which are displayed within the trusted Keycloak UI. This creates a phishing vector, potentially tricking users into contacting malicious actors. | |
| CVE-2025-10939 | Low | 0.24 | 3.7 | 0.00 | Oct 28, 2025 | A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application path relative to /realms which is expected to be exposed. | |
| CVE-2026-6856 | low | 0.20 | 3.1 | — | Apr 13, 2026 | keycloak: keycloak: acceptable AAGUID policy bypass via packed self-attestation in WebAuthn registration |