VYPR

Vendor CVEs

Keycloak

All CVEs

106 total · sorted by risk
  • CVE-2017-7474CriMay 12, 2017
    risk 0.64cvss 9.8epss 0.03

    It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks.

  • CVE-2014-3709HigOct 18, 2017
    risk 0.50cvss 8.8epss 0.01

    The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack of CSRF protection.

  • CVE-2025-11419HigDec 23, 2025
    risk 0.49cvss 7.5epss 0.01

    A flaw was found in Keycloak. This vulnerability allows an unauthenticated remote attacker to cause a denial of service (DoS) by repeatedly initiating TLS 1.2 client-initiated renegotiation requests to exhaust server CPU resources, making the service unavailable.

  • CVE-2014-3651HigDec 29, 2017
    risk 0.49cvss 7.5epss 0.02

    JBoss KeyCloak before 1.0.3.Final allows remote attackers to cause a denial of service (resource consumption) via a large value in the size parameter to auth/qrcode, related to QR code generation.

  • CVE-2017-12159HigOct 26, 2017
    risk 0.49cvss 7.5epss 0.02

    It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw to gain access to an authenticated user session, leading to possible information disclosure or further attacks.

  • CVE-2026-9086impJun 25, 2026
    risk 0.47cvss 7.3epss 0.00

    keycloak: Keycloak: Cross-site scripting (XSS) via case-insensitive URI validation bypass

  • CVE-2026-11577HigJun 8, 2026
    risk 0.47cvss 7.2epss 0.00

    A flaw was found in Keycloak. A limited administrator can exploit an improper access control vulnerability in the POST /admin/realms/{realm}/partialImport endpoint. This allows them to bypass Fine-Grained Admin Permissions (FGAP) and escalate their privileges to a full realm…

  • CVE-2026-9795HigMay 28, 2026
    risk 0.47cvss 7.3epss 0.00

    A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses…

  • CVE-2025-3501HigApr 29, 2025
    risk 0.46cvss 8.2epss 0.00

    A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended.

  • CVE-2024-10039higNov 25, 2024
    risk 0.45cvss epss 0.00

    A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the…

  • CVE-2026-9802MedMay 28, 2026
    risk 0.44cvss 6.8epss 0.00

    A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even…

  • CVE-2026-9704MedMay 27, 2026
    risk 0.44cvss 6.8epss 0.00

    A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently dropped, causing the system to…

  • CVE-2026-12388modJun 30, 2026
    risk 0.42cvss 6.5epss

    keycloak-broker: Keycloak: Privilege escalation to realm administrator via improper authorization in identity provider mapper

  • CVE-2026-9705modJun 25, 2026
    risk 0.42cvss 6.5epss 0.00

    keycloak: Keycloak: Attacker can re-enable and take over disabled clients via Registration Access Token

  • CVE-2026-9796MedMay 28, 2026
    risk 0.42cvss 6.5epss 0.00

    A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges to `realm-admin` for all users…

  • CVE-2026-9792MedMay 28, 2026
    risk 0.42cvss 6.5epss 0.00

    A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, the `reject-ropc-grant`…

  • CVE-2026-7307HigMay 19, 2026
    risk 0.42cvss 7.5epss 0.01

    A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to a Denial of Service (DoS)…

  • CVE-2022-2232HigNov 14, 2024
    risk 0.42cvss 7.5epss 0.01

    A flaw was found in the Keycloak package. This flaw allows an attacker to utilize an LDAP injection to bypass the username lookup or potentially perform other malicious actions.

  • CVE-2026-7571HigMay 19, 2026
    risk 0.39cvss 7.1epss 0.00

    A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session restart, an attacker can…

  • CVE-2025-14777MedDec 16, 2025
    risk 0.39cvss 6.0epss 0.00

    A flaw was found in Keycloak. An IDOR (Broken Access Control) vulnerability exists in the admin API endpoints for authorization resource management, specifically in ResourceSetService and PermissionTicketService. The system checks authorization against the resourceServer…

  • CVE-2026-9793MedMay 28, 2026
    risk 0.38cvss 5.9epss 0.00

    A flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This allows a remote attacker to submit…

  • CVE-2026-4366MedMar 18, 2026
    risk 0.38cvss 5.8epss 0.00

    A flaw was identified in Keycloak, an identity and access management solution, where it improperly follows HTTP redirects when processing certain client configuration requests. This behavior allows an attacker to trick the server into making unintended requests to internal or…

  • CVE-2026-37982MedMay 19, 2026
    risk 0.37cvss 6.8epss 0.00

    A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can register their own…

  • CVE-2025-11538MedNov 13, 2025
    risk 0.37cvss 6.8epss 0.00

    A vulnerability exists in Keycloak's server distribution where enabling debug mode (--debug ) insecurely defaults to binding the Java Debug Wire Protocol (JDWP) port to all network interfaces (0.0.0.0). This exposes the debug port to the local network, allowing an attacker…

  • CVE-2026-9087MedMay 20, 2026
    risk 0.35cvss 6.4epss 0.00

    A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get linked to the victim's local…

  • CVE-2026-37979MedMay 19, 2026
    risk 0.35cvss 6.5epss 0.00

    A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims…

  • CVE-2025-0604MedJan 22, 2025
    risk 0.35cvss 5.4epss 0.01

    A flaw was found in Keycloak. When an Active Directory user resets their password, the system updates it without performing an LDAP bind to validate the new credentials against AD. This vulnerability allows users whose AD accounts are expired or disabled to regain access in…

  • CVE-2024-11734MedJan 14, 2025
    risk 0.35cvss 6.5epss 0.01

    A denial of service vulnerability was found in Keycloak that could allow an administrative user with the right to change realm settings to disrupt the service. This action is done by modifying any of the security headers and inserting newlines, which causes the Keycloak server…

  • CVE-2024-10270MedNov 25, 2024
    risk 0.35cvss 6.5epss 0.01

    A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity.

  • CVE-2017-12158MedOct 26, 2017
    risk 0.35cvss 5.4epss 0.01

    It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.

  • CVE-2026-9083modJun 25, 2026
    risk 0.32cvss 4.9epss 0.01

    keycloak: Keycloak: Information disclosure through arbitrary filesystem path probing

  • CVE-2025-12390MedOct 28, 2025
    risk 0.32cvss 6.0epss 0.00

    A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser…

  • CVE-2025-9162MedAug 21, 2025
    risk 0.32cvss 4.9epss 0.00

    A flaw was found in org.keycloak/keycloak-model-storage-service. The KeycloakRealmImport custom resource substitutes placeholders within imported realm documents, potentially referencing environment variables. This substitution process allows for injection attacks when crafted…

  • CVE-2025-2559MedMar 25, 2025
    risk 0.32cvss 4.9epss 0.01

    A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an…

  • CVE-2024-9666MedNov 25, 2024
    risk 0.31cvss 4.7epss 0.00

    A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service (DoS) attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated…

  • CVE-2024-10451MedNov 25, 2024
    risk 0.31cvss 5.9epss 0.01

    A flaw was found in Keycloak. This issue occurs because sensitive runtime values, such as passwords, may be captured during the Keycloak build process and embedded as default values in bytecode, leading to unintended information disclosure. In Keycloak 26, sensitive data…

  • CVE-2024-10973MedDec 17, 2024
    risk 0.30cvss 5.7epss 0.00

    A vulnerability was found in Keycloak. The environment option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the JGroups replication configuration is always used in plain text which can allow an attacker that has access to adjacent networks related to JGroups to read…

  • CVE-2025-13467MedNov 25, 2025
    risk 0.29cvss 5.5epss 0.00

    A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration.

  • CVE-2026-14209modJun 30, 2026
    risk 0.28cvss 4.3epss

    keycloak-admin-ui: keycloak-admin-ui: Keycloak: Admin UI extension brute-force-user endpoint bypasses FGAPv2 user view restrictions

  • CVE-2026-9798MedMay 28, 2026
    risk 0.28cvss 4.3epss 0.00

    A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication (CIBA)…

  • CVE-2026-8922MedMay 19, 2026
    risk 0.28cvss 5.4epss 0.00

    A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain…

  • CVE-2025-12110MedOct 23, 2025
    risk 0.28cvss 5.4epss 0.00

    A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes…

  • CVE-2025-11429MedOct 23, 2025
    risk 0.28cvss 5.4epss 0.00

    A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the…

  • CVE-2025-1391MedFeb 17, 2025
    risk 0.28cvss 5.4epss 0.00

    A flaw was found in the Keycloak organization feature, which allows the incorrect assignment of an organization to a user if their username or email matches the organization’s domain pattern. This issue occurs at the mapper level, leading to misrepresentation in tokens. If an…

  • CVE-2026-9794MedMay 28, 2026
    risk 0.27cvss 5.3epss 0.00

    A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs. By observing distinct…

  • CVE-2026-9689MedMay 27, 2026
    risk 0.27cvss 4.2epss 0.00

    A flaw was found in Keycloak, an open-source identity and access management solution. When a client application is configured to accept broad redirect Uniform Resource Identifiers (URIs), a remote attacker can manipulate the authentication process by crafting a special web…

  • CVE-2026-0707MedJan 8, 2026
    risk 0.27cvss 5.3epss 0.00

    A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750…

  • CVE-2026-37978MedMay 19, 2026
    risk 0.25cvss 4.9epss 0.00

    A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role personally identifiable…

  • CVE-2024-4028LowFeb 18, 2025
    risk 0.25cvss 3.8epss 0.00

    A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack.

  • CVE-2024-11736MedJan 14, 2025
    risk 0.25cvss 4.9epss 0.01

    A vulnerability was found in Keycloak. Admin users may have to access sensitive server environment variables and system properties through user-configurable URLs. When configuring backchannel logout URLs or admin URLs, admin users can include placeholders like ${env.VARNAME} or…

Page 1 of 3