Vendor CVEs
Keycloak
All CVEs
106 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-7474 | Cri | 0.64 | 9.8 | 0.03 | May 12, 2017 | It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks. | ||
| CVE-2014-3709 | Hig | 0.50 | 8.8 | 0.01 | Oct 18, 2017 | The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection. | ||
| CVE-2025-11419 | Hig | 0.49 | 7.5 | 0.01 | Dec 23, 2025 | A flaw was found in Keycloak. This vulnerability allows an unauthenticated remote attacker to cause a denial of service (DoS) by repeatedly initiating TLS 1.2 client-initiated renegotiation requests to exhaust server CPU resources, making the service unavailable. | ||
| CVE-2014-3651 | Hig | 0.49 | 7.5 | 0.02 | Dec 29, 2017 | JBoss KeyCloak before 1.0.3.Final allows remote attackers to cause a denial of service (resource consumption) via a large value in the size parameter to auth/qrcode, related to QR code generation. | ||
| CVE-2017-12159 | Hig | 0.49 | 7.5 | 0.02 | Oct 26, 2017 | It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks. | ||
| CVE-2026-9086 | imp | 0.47 | 7.3 | 0.00 | Jun 25, 2026 | keycloak: Keycloak: Cross-site scripting (XSS) via case-insensitive URI validation bypass | ||
| CVE-2026-11577 | Hig | 0.47 | 7.2 | 0.00 | Jun 8, 2026 | A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm… | ||
| CVE-2026-9795 | Hig | 0.47 | 7.3 | 0.00 | May 28, 2026 | A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses… | ||
| CVE-2025-3501 | Hig | 0.46 | 8.2 | 0.00 | Apr 29, 2025 | A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended. | ||
| CVE-2024-10039 | hig | 0.45 | — | 0.00 | Nov 25, 2024 | A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the… | ||
| CVE-2026-9802 | Med | 0.44 | 6.8 | 0.00 | May 28, 2026 | A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even… | ||
| CVE-2026-9704 | Med | 0.44 | 6.8 | 0.00 | May 27, 2026 | A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to… | ||
| CVE-2026-12388 | mod | 0.42 | 6.5 | — | Jun 30, 2026 | keycloak-broker: Keycloak: Privilege escalation to realm administrator via improper authorization in identity provider mapper | ||
| CVE-2026-9705 | mod | 0.42 | 6.5 | 0.00 | Jun 25, 2026 | keycloak: Keycloak: Attacker can re-enable and take over disabled clients via Registration Access Token | ||
| CVE-2026-9796 | Med | 0.42 | 6.5 | 0.00 | May 28, 2026 | A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to `realm-admin` for all users… | ||
| CVE-2026-9792 | Med | 0.42 | 6.5 | 0.00 | May 28, 2026 | A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant`… | ||
| CVE-2026-7307 | Hig | 0.42 | 7.5 | 0.01 | May 19, 2026 | A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS)… | ||
| CVE-2022-2232 | Hig | 0.42 | 7.5 | 0.01 | Nov 14, 2024 | A flaw was found in the Keycloak package. This flaw allows an attacker to utilize an LDAP injection to bypass the username lookup or potentially perform other malicious actions. | ||
| CVE-2026-7571 | Hig | 0.39 | 7.1 | 0.00 | May 19, 2026 | A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session restart, an attacker can… | ||
| CVE-2025-14777 | Med | 0.39 | 6.0 | 0.00 | Dec 16, 2025 | A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer… | ||
| CVE-2026-9793 | Med | 0.38 | 5.9 | 0.00 | May 28, 2026 | A flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This allows a remote attacker to submit… | ||
| CVE-2026-4366 | Med | 0.38 | 5.8 | 0.00 | Mar 18, 2026 | A flaw was identified in Keycloak, an identity and access management solution, where it improperly follows HTTP redirects when processing certain client configuration requests. This behavior allows an attacker to trick the server into making unintended requests to internal or… | ||
| CVE-2026-37982 | Med | 0.37 | 6.8 | 0.00 | May 19, 2026 | A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own… | ||
| CVE-2025-11538 | Med | 0.37 | 6.8 | 0.00 | Nov 13, 2025 | A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug ) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker… | ||
| CVE-2026-9087 | Med | 0.35 | 6.4 | 0.00 | May 20, 2026 | A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local… | ||
| CVE-2026-37979 | Med | 0.35 | 6.5 | 0.00 | May 19, 2026 | A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims… | ||
| CVE-2025-0604 | Med | 0.35 | 5.4 | 0.01 | Jan 22, 2025 | A flaw was found in Keycloak. When an Active Directory user resets their password, the system updates it without performing an LDAP bind to validate the new credentials against AD. This vulnerability allows users whose AD accounts are expired or disabled to regain access in… | ||
| CVE-2024-11734 | Med | 0.35 | 6.5 | 0.01 | Jan 14, 2025 | A denial of service vulnerability was found in Keycloak that could allow an administrative user with the right to change realm settings to disrupt the service. This action is done by modifying any of the security headers and inserting newlines, which causes the Keycloak server… | ||
| CVE-2024-10270 | Med | 0.35 | 6.5 | 0.01 | Nov 25, 2024 | A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity. | ||
| CVE-2017-12158 | Med | 0.35 | 5.4 | 0.01 | Oct 26, 2017 | It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. | ||
| CVE-2026-9083 | mod | 0.32 | 4.9 | 0.01 | Jun 25, 2026 | keycloak: Keycloak: Information disclosure through arbitrary filesystem path probing | ||
| CVE-2025-12390 | Med | 0.32 | 6.0 | 0.00 | Oct 28, 2025 | A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser… | ||
| CVE-2025-9162 | Med | 0.32 | 4.9 | 0.00 | Aug 21, 2025 | A flaw was found in org.keycloak/keycloak-model-storage-service. The KeycloakRealmImport custom resource substitutes placeholders within imported realm documents, potentially referencing environment variables. This substitution process allows for injection attacks when crafted… | ||
| CVE-2025-2559 | Med | 0.32 | 4.9 | 0.01 | Mar 25, 2025 | A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an… | ||
| CVE-2024-9666 | Med | 0.31 | 4.7 | 0.00 | Nov 25, 2024 | A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated… | ||
| CVE-2024-10451 | Med | 0.31 | 5.9 | 0.01 | Nov 25, 2024 | A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data… | ||
| CVE-2024-10973 | Med | 0.30 | 5.7 | 0.00 | Dec 17, 2024 | A vulnerability was found in Keycloak. The environment option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the JGroups replication configuration is always used in plain text which can allow an attacker that has access to adjacent networks related to JGroups to read… | ||
| CVE-2025-13467 | Med | 0.29 | 5.5 | 0.00 | Nov 25, 2025 | A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration. | ||
| CVE-2026-14209 | mod | 0.28 | 4.3 | — | Jun 30, 2026 | keycloak-admin-ui: keycloak-admin-ui: Keycloak: Admin UI extension brute-force-user endpoint bypasses FGAPv2 user view restrictions | ||
| CVE-2026-9798 | Med | 0.28 | 4.3 | 0.00 | May 28, 2026 | A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA)… | ||
| CVE-2026-8922 | Med | 0.28 | 5.4 | 0.00 | May 19, 2026 | A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain… | ||
| CVE-2025-12110 | Med | 0.28 | 5.4 | 0.00 | Oct 23, 2025 | A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes… | ||
| CVE-2025-11429 | Med | 0.28 | 5.4 | 0.00 | Oct 23, 2025 | A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the… | ||
| CVE-2025-1391 | Med | 0.28 | 5.4 | 0.00 | Feb 17, 2025 | A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an… | ||
| CVE-2026-9794 | Med | 0.27 | 5.3 | 0.00 | May 28, 2026 | A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs. By observing distinct… | ||
| CVE-2026-9689 | Med | 0.27 | 4.2 | 0.00 | May 27, 2026 | A flaw was found in Keycloak, an open-source identity and access management solution. When a client application is configured to accept broad redirect Uniform Resource Identifiers (URIs), a remote attacker can manipulate the authentication process by crafting a special web… | ||
| CVE-2026-0707 | Med | 0.27 | 5.3 | 0.00 | Jan 8, 2026 | A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750… | ||
| CVE-2026-37978 | Med | 0.25 | 4.9 | 0.00 | May 19, 2026 | A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable… | ||
| CVE-2024-4028 | Low | 0.25 | 3.8 | 0.00 | Feb 18, 2025 | A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack. | ||
| CVE-2024-11736 | Med | 0.25 | 4.9 | 0.01 | Jan 14, 2025 | A vulnerability was found in Keycloak. Admin users may have to access sensitive server environment variables and system properties through user-configurable URLs. When configuring backchannel logout URLs or admin URLs, admin users can include placeholders like ${env.VARNAME} or… |
- risk 0.64cvss 9.8epss 0.03
It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks.
- risk 0.50cvss 8.8epss 0.01
The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection.
- risk 0.49cvss 7.5epss 0.01
A flaw was found in Keycloak. This vulnerability allows an unauthenticated remote attacker to cause a denial of service (DoS) by repeatedly initiating TLS 1.2 client-initiated renegotiation requests to exhaust server CPU resources, making the service unavailable.
- risk 0.49cvss 7.5epss 0.02
JBoss KeyCloak before 1.0.3.Final allows remote attackers to cause a denial of service (resource consumption) via a large value in the size parameter to auth/qrcode, related to QR code generation.
- risk 0.49cvss 7.5epss 0.02
It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.
- risk 0.47cvss 7.3epss 0.00
keycloak: Keycloak: Cross-site scripting (XSS) via case-insensitive URI validation bypass
- risk 0.47cvss 7.2epss 0.00
A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm…
- risk 0.47cvss 7.3epss 0.00
A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses…
- risk 0.46cvss 8.2epss 0.00
A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended.
- risk 0.45cvss —epss 0.00
A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the…
- risk 0.44cvss 6.8epss 0.00
A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even…
- risk 0.44cvss 6.8epss 0.00
A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to…
- risk 0.42cvss 6.5epss —
keycloak-broker: Keycloak: Privilege escalation to realm administrator via improper authorization in identity provider mapper
- risk 0.42cvss 6.5epss 0.00
keycloak: Keycloak: Attacker can re-enable and take over disabled clients via Registration Access Token
- risk 0.42cvss 6.5epss 0.00
A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to `realm-admin` for all users…
- risk 0.42cvss 6.5epss 0.00
A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant`…
- risk 0.42cvss 7.5epss 0.01
A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS)…
- risk 0.42cvss 7.5epss 0.01
A flaw was found in the Keycloak package. This flaw allows an attacker to utilize an LDAP injection to bypass the username lookup or potentially perform other malicious actions.
- risk 0.39cvss 7.1epss 0.00
A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session restart, an attacker can…
- risk 0.39cvss 6.0epss 0.00
A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer…
- risk 0.38cvss 5.9epss 0.00
A flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This allows a remote attacker to submit…
- risk 0.38cvss 5.8epss 0.00
A flaw was identified in Keycloak, an identity and access management solution, where it improperly follows HTTP redirects when processing certain client configuration requests. This behavior allows an attacker to trick the server into making unintended requests to internal or…
- risk 0.37cvss 6.8epss 0.00
A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own…
- risk 0.37cvss 6.8epss 0.00
A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug ) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker…
- risk 0.35cvss 6.4epss 0.00
A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local…
- risk 0.35cvss 6.5epss 0.00
A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims…
- risk 0.35cvss 5.4epss 0.01
A flaw was found in Keycloak. When an Active Directory user resets their password, the system updates it without performing an LDAP bind to validate the new credentials against AD. This vulnerability allows users whose AD accounts are expired or disabled to regain access in…
- risk 0.35cvss 6.5epss 0.01
A denial of service vulnerability was found in Keycloak that could allow an administrative user with the right to change realm settings to disrupt the service. This action is done by modifying any of the security headers and inserting newlines, which causes the Keycloak server…
- risk 0.35cvss 6.5epss 0.01
A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity.
- risk 0.35cvss 5.4epss 0.01
It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.
- risk 0.32cvss 4.9epss 0.01
keycloak: Keycloak: Information disclosure through arbitrary filesystem path probing
- risk 0.32cvss 6.0epss 0.00
A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser…
- risk 0.32cvss 4.9epss 0.00
A flaw was found in org.keycloak/keycloak-model-storage-service. The KeycloakRealmImport custom resource substitutes placeholders within imported realm documents, potentially referencing environment variables. This substitution process allows for injection attacks when crafted…
- risk 0.32cvss 4.9epss 0.01
A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an…
- risk 0.31cvss 4.7epss 0.00
A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated…
- risk 0.31cvss 5.9epss 0.01
A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data…
- risk 0.30cvss 5.7epss 0.00
A vulnerability was found in Keycloak. The environment option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the JGroups replication configuration is always used in plain text which can allow an attacker that has access to adjacent networks related to JGroups to read…
- risk 0.29cvss 5.5epss 0.00
A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.
- risk 0.28cvss 4.3epss —
keycloak-admin-ui: keycloak-admin-ui: Keycloak: Admin UI extension brute-force-user endpoint bypasses FGAPv2 user view restrictions
- risk 0.28cvss 4.3epss 0.00
A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA)…
- risk 0.28cvss 5.4epss 0.00
A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain…
- risk 0.28cvss 5.4epss 0.00
A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes…
- risk 0.28cvss 5.4epss 0.00
A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the…
- risk 0.28cvss 5.4epss 0.00
A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an…
- risk 0.27cvss 5.3epss 0.00
A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs. By observing distinct…
- risk 0.27cvss 4.2epss 0.00
A flaw was found in Keycloak, an open-source identity and access management solution. When a client application is configured to accept broad redirect Uniform Resource Identifiers (URIs), a remote attacker can manipulate the authentication process by crafting a special web…
- risk 0.27cvss 5.3epss 0.00
A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750…
- risk 0.25cvss 4.9epss 0.00
A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable…
- risk 0.25cvss 3.8epss 0.00
A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack.
- risk 0.25cvss 4.9epss 0.01
A vulnerability was found in Keycloak. Admin users may have to access sensitive server environment variables and system properties through user-configurable URLs. When configuring backchannel logout URLs or admin URLs, admin users can include placeholders like ${env.VARNAME} or…
Page 1 of 3