Vendor CVEs
Keycloak
All CVEs
106 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-10939 | Low | 0.24 | 3.7 | 0.00 | Oct 28, 2025 | A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application… | ||
| CVE-2023-0657 | Low | 0.22 | 3.4 | 0.00 | Nov 17, 2024 | A flaw was found in Keycloak. This issue occurs due to improperly enforcing token types when validating signatures locally. This could allow an authenticated attacker to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions. | ||
| CVE-2026-9791 | Med | 0.21 | 4.3 | 0.00 | May 28, 2026 | A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata… | ||
| CVE-2026-8830 | Med | 0.21 | 4.3 | 0.00 | May 19, 2026 | A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that the newly created credential's… | ||
| CVE-2025-10044 | Med | 0.21 | 4.3 | 0.00 | Sep 5, 2025 | A flaw was found in Keycloak. Keycloak’s account console and other pages accept arbitrary text in the error_description query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft… | ||
| CVE-2026-6856 | low | 0.20 | 3.1 | — | Apr 13, 2026 | keycloak: keycloak: acceptable AAGUID policy bypass via packed self-attestation in WebAuthn registration | ||
| CVE-2026-1035 | Low | 0.20 | 3.1 | 0.00 | Jan 21, 2026 | A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not… | ||
| CVE-2026-1518 | Low | 0.18 | 2.7 | 0.00 | Feb 2, 2026 | A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services. | ||
| CVE-2025-14083 | Low | 0.18 | 2.7 | 0.00 | Jan 21, 2026 | A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control. | ||
| CVE-2026-3911 | Low | 0.11 | 2.7 | 0.00 | Mar 11, 2026 | A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This… | ||
| CVE-2025-14082 | Low | 0.11 | 2.7 | 0.00 | Dec 10, 2025 | A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint. | ||
| CVE-2024-10492 | Low | 0.11 | 2.7 | 0.01 | Nov 25, 2024 | A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example,… | ||
| CVE-2020-10770 | 0.09 | — | 0.70 | Dec 15, 2020 | A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack. | |||
| CVE-2026-2603 | 0.00 | — | 0.00 | Mar 18, 2026 | A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when… | |||
| CVE-2025-12150 | 0.00 | — | 0.00 | Feb 27, 2026 | A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is… | |||
| CVE-2025-8419 | 0.00 | — | 0.00 | Aug 6, 2025 | A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very… | |||
| CVE-2025-5416 | 0.00 | — | 0.00 | Jun 20, 2025 | A vulnerability has been identified in Keycloak that could lead to unauthorized information disclosure. While it requires an already authenticated user, the /admin/serverinfo endpoint can inadvertently provide sensitive environment information. | |||
| CVE-2025-3910 | 0.00 | — | 0.00 | Apr 29, 2025 | A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication. | |||
| CVE-2023-4918 | 0.00 | — | 0.00 | Sep 12, 2023 | A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration flow, the "password" and "password-confirm" field from the form will occur as regular user attributes. All users and clients with proper rights… | |||
| CVE-2022-4361 | 0.00 | — | 0.01 | Jul 7, 2023 | Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the… | |||
| CVE-2023-1664 | 0.00 | — | 0.00 | May 26, 2023 | A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated… | |||
| CVE-2022-1274 | 0.00 | — | 0.01 | Mar 29, 2023 | A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users. | |||
| CVE-2022-2237 | 0.00 | — | 0.00 | Mar 27, 2023 | A flaw was found in the Keycloak Node.js Adapter. This flaw allows an attacker to benefit from an Open Redirect vulnerability in the checkSso function. | |||
| CVE-2022-2256 | 0.00 | — | 0.01 | Sep 1, 2022 | A Stored Cross-site scripting (XSS) vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality. | |||
| CVE-2022-0225 | 0.00 | — | 0.03 | Aug 26, 2022 | A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack. | |||
| CVE-2021-3632 | 0.00 | — | 0.01 | Aug 26, 2022 | A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow. | |||
| CVE-2021-3754 | 0.00 | — | 0.02 | Aug 26, 2022 | A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password. | |||
| CVE-2021-3856 | 0.00 | — | 0.01 | Aug 26, 2022 | ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if… | |||
| CVE-2020-35509 | 0.00 | — | 0.00 | Aug 23, 2022 | A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity. | |||
| CVE-2021-3827 | 0.00 | — | 0.01 | Aug 23, 2022 | A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's… | |||
| CVE-2021-3513 | 0.00 | — | 0.01 | Aug 22, 2022 | A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality. | |||
| CVE-2022-2668 | 0.00 | — | 0.01 | Aug 5, 2022 | An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled | |||
| CVE-2022-1245 | 0.00 | — | 0.01 | Jul 7, 2022 | A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This could allow a client to gain… | |||
| CVE-2021-3461 | 0.00 | — | 0.00 | Apr 1, 2022 | A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name]. | |||
| CVE-2021-4133 | 0.00 | — | 0.01 | Jan 25, 2022 | A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled. | |||
| CVE-2021-3424 | 0.00 | — | 0.01 | Jun 1, 2021 | A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and trick admin to grant him extra privileges. | |||
| CVE-2021-20195 | 0.00 | — | 0.01 | May 28, 2021 | A flaw was found in keycloak in versions before 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data. The highest threat from… | |||
| CVE-2020-27826 | 0.00 | — | 0.01 | May 28, 2021 | A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application. | |||
| CVE-2021-20202 | 0.00 | — | 0.00 | May 12, 2021 | A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory. The highest threat from this… | |||
| CVE-2021-20222 | 0.00 | — | 0.01 | Mar 23, 2021 | A flaw was found in keycloak. The new account console in keycloak can allow malicious code to be executed using the referrer URL. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | |||
| CVE-2021-20262 | 0.00 | — | 0.00 | Mar 9, 2021 | A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an account if they can obtain temporary, physical access to a user’s browser. The highest threat from this vulnerability is to… | |||
| CVE-2020-27838 | 0.00 | — | 0.18 | Mar 8, 2021 | A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest… | |||
| CVE-2020-14359 | 0.00 | — | 0.01 | Feb 23, 2021 | A vulnerability was found in all versions of Keycloak Gatekeeper, where on using lower case HTTP headers (via cURL) an attacker can bypass our Gatekeeper. Lower case headers are also accepted by some webservers (e.g. Jetty). This means there is no protection when we put a… | |||
| CVE-2020-10734 | 0.00 | — | 0.00 | Feb 11, 2021 | A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection. Versions shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes are believed to be vulnerable. | |||
| CVE-2020-1717 | 0.00 | — | 0.01 | Feb 11, 2021 | A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack. | |||
| CVE-2020-1725 | 0.00 | — | 0.01 | Jan 28, 2021 | A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token. | |||
| CVE-2020-14302 | 0.00 | — | 0.01 | Dec 15, 2020 | A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same "state" parameter. This flaw allows a malicious user to perform replay… | |||
| CVE-2020-10776 | 0.00 | — | 0.01 | Nov 17, 2020 | A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. | |||
| CVE-2020-14389 | 0.00 | — | 0.01 | Nov 17, 2020 | It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have. | |||
| CVE-2020-1694 | 0.00 | — | 0.02 | Sep 16, 2020 | A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions. |
- risk 0.24cvss 3.7epss 0.00
A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application…
- risk 0.22cvss 3.4epss 0.00
A flaw was found in Keycloak. This issue occurs due to improperly enforcing token types when validating signatures locally. This could allow an authenticated attacker to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions.
- risk 0.21cvss 4.3epss 0.00
A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This allows organization metadata…
- risk 0.21cvss 4.3epss 0.00
A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that the newly created credential's…
- risk 0.21cvss 4.3epss 0.00
A flaw was found in Keycloak. Keycloak’s account console and other pages accept arbitrary text in the error_description query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft…
- risk 0.20cvss 3.1epss —
keycloak: keycloak: acceptable AAGUID policy bypass via packed self-attestation in WebAuthn registration
- risk 0.20cvss 3.1epss 0.00
A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not…
- risk 0.18cvss 2.7epss 0.00
A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services.
- risk 0.18cvss 2.7epss 0.00
A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control.
- risk 0.11cvss 2.7epss 0.00
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This…
- risk 0.11cvss 2.7epss 0.00
A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint.
- risk 0.11cvss 2.7epss 0.01
A vulnerability was found in Keycloak. A user with high privileges could read sensitive information from a Vault file that is not within the expected context. This attacker must have previous high access to the Keycloak server in order to perform resource creation, for example,…
- CVE-2020-10770Dec 15, 2020risk 0.09cvss —epss 0.70
A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.
- CVE-2026-2603Mar 18, 2026risk 0.00cvss —epss 0.00
A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when…
- CVE-2025-12150Feb 27, 2026risk 0.00cvss —epss 0.00
A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is…
- CVE-2025-8419Aug 6, 2025risk 0.00cvss —epss 0.00
A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very…
- CVE-2025-5416Jun 20, 2025risk 0.00cvss —epss 0.00
A vulnerability has been identified in Keycloak that could lead to unauthorized information disclosure. While it requires an already authenticated user, the /admin/serverinfo endpoint can inadvertently provide sensitive environment information.
- CVE-2025-3910Apr 29, 2025risk 0.00cvss —epss 0.00
A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication.
- CVE-2023-4918Sep 12, 2023risk 0.00cvss —epss 0.00
A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration flow, the "password" and "password-confirm" field from the form will occur as regular user attributes. All users and clients with proper rights…
- CVE-2022-4361Jul 7, 2023risk 0.00cvss —epss 0.01
Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OIDC providers. The vulnerability can allow an attacker to execute malicious scripts by setting the AssertionConsumerServiceURL value or the…
- CVE-2023-1664May 26, 2023risk 0.00cvss —epss 0.00
A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and the reverse proxy is not validating the certificate before Keycloak. Using this method an attacker may choose the certificate which will be validated…
- CVE-2022-1274Mar 29, 2023risk 0.00cvss —epss 0.01
A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.
- CVE-2022-2237Mar 27, 2023risk 0.00cvss —epss 0.00
A flaw was found in the Keycloak Node.js Adapter. This flaw allows an attacker to benefit from an Open Redirect vulnerability in the checkSso function.
- CVE-2022-2256Sep 1, 2022risk 0.00cvss —epss 0.01
A Stored Cross-site scripting (XSS) vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality.
- CVE-2022-0225Aug 26, 2022risk 0.00cvss —epss 0.03
A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack.
- CVE-2021-3632Aug 26, 2022risk 0.00cvss —epss 0.01
A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.
- CVE-2021-3754Aug 26, 2022risk 0.00cvss —epss 0.02
A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password.
- CVE-2021-3856Aug 26, 2022risk 0.00cvss —epss 0.01
ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if…
- CVE-2020-35509Aug 23, 2022risk 0.00cvss —epss 0.00
A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant authenticator because of missing time stamp validations. The highest threat from this vulnerability is to data confidentiality and integrity.
- CVE-2021-3827Aug 23, 2022risk 0.00cvss —epss 0.01
A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's…
- CVE-2021-3513Aug 22, 2022risk 0.00cvss —epss 0.01
A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is due to a wrong error message displayed when wrong credentials are entered. The highest threat from this vulnerability is to confidentiality.
- CVE-2022-2668Aug 5, 2022risk 0.00cvss —epss 0.01
An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled
- CVE-2022-1245Jul 7, 2022risk 0.00cvss —epss 0.01
A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application holding a valid access token to exchange tokens for any target client by passing the client_id of the target. This could allow a client to gain…
- CVE-2021-3461Apr 1, 2022risk 0.00cvss —epss 0.00
A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identity provider and Principal Type is set to Attribute [Name].
- CVE-2021-4133Jan 25, 2022risk 0.00cvss —epss 0.01
A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled.
- CVE-2021-3424Jun 1, 2021risk 0.00cvss —epss 0.01
A flaw was found in keycloak as shipped in Red Hat Single Sign-On 7.4 where IDN homograph attacks are possible. A malicious user can register himself with a name already registered and trick admin to grant him extra privileges.
- CVE-2021-20195May 28, 2021risk 0.00cvss —epss 0.01
A flaw was found in keycloak in versions before 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data. The highest threat from…
- CVE-2020-27826May 28, 2021risk 0.00cvss —epss 0.01
A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account REST API. This flaw allows an attacker to change its own NameID attribute to impersonate the admin user for any particular application.
- CVE-2021-20202May 12, 2021risk 0.00cvss —epss 0.00
A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but with wider user permissions, allowing the attacker to have access to the contents that keycloak stores in this directory. The highest threat from this…
- CVE-2021-20222Mar 23, 2021risk 0.00cvss —epss 0.01
A flaw was found in keycloak. The new account console in keycloak can allow malicious code to be executed using the referrer URL. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
- CVE-2021-20262Mar 9, 2021risk 0.00cvss —epss 0.00
A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. This flaw allows an attacker to take over an account if they can obtain temporary, physical access to a user’s browser. The highest threat from this vulnerability is to…
- CVE-2020-27838Mar 8, 2021risk 0.00cvss —epss 0.18
A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients (like client secret) without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest…
- CVE-2020-14359Feb 23, 2021risk 0.00cvss —epss 0.01
A vulnerability was found in all versions of Keycloak Gatekeeper, where on using lower case HTTP headers (via cURL) an attacker can bypass our Gatekeeper. Lower case headers are also accepted by some webservers (e.g. Jetty). This means there is no protection when we put a…
- CVE-2020-10734Feb 11, 2021risk 0.00cvss —epss 0.00
A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection. Versions shipped with Red Hat Fuse 7, Red Hat Single Sign-on 7, and Red Hat Openshift Application Runtimes are believed to be vulnerable.
- CVE-2020-1717Feb 11, 2021risk 0.00cvss —epss 0.01
A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack.
- CVE-2020-1725Jan 28, 2021risk 0.00cvss —epss 0.01
A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the role mappings in Keycloak and after expiration of the previous access token.
- CVE-2020-14302Dec 15, 2020risk 0.00cvss —epss 0.01
A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same "state" parameter. This flaw allows a malicious user to perform replay…
- CVE-2020-10776Nov 17, 2020risk 0.00cvss —epss 0.01
A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack.
- CVE-2020-14389Nov 17, 2020risk 0.00cvss —epss 0.01
It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have.
- CVE-2020-1694Sep 16, 2020risk 0.00cvss —epss 0.02
A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions.
Page 2 of 3