| CVE-2026-37982 |
medium |
6.8 |
6.8 |
|
|
|
17d ago |
Keycloak: Unauthorized account takeover via WebAuthn token replay |
| CVE-2026-37979 |
medium |
6.5 |
6.5 |
|
|
|
17d ago |
Keycloak: Information disclosure via OIDC token introspection endpoint audience bypass |
| CVE-2025-7784 |
medium |
6.5 |
6.5 |
|
|
|
11mo ago |
Keycloak Privilege Escalation Vulnerability in Admin Console (FGAPv2 Enabled) |
| CVE-2024-10270 |
medium |
6.5 |
6.5 |
|
|
|
2y ago |
org.keycloak:keycloak-services has Inefficient Regular Expression Complexity |
| CVE-2023-6717 |
medium |
6.0 |
6.0 |
|
|
|
2y ago |
A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cr… |
| CVE-2026-8922 |
medium |
5.4 |
5.4 |
|
|
|
17d ago |
Keycloak: Revoked Tokens Can Remain Active When Both Realm-Level and Client-Level `notBefore` Revocation Policies are Configured |
| CVE-2026-7500 |
medium |
5.4 |
5.4 |
|
|
|
1mo ago |
Keycloak has a Forced Browsing issue |
| CVE-2025-1391 |
medium |
5.4 |
5.4 |
|
|
|
1y ago |
Improper Authorization in Keycloak Organization Mapper Allows Unauthorized Organization Claims |
| CVE-2026-2575 |
medium |
5.3 |
5.3 |
|
|
|
3mo ago |
A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding.… |
| CVE-2026-37978 |
medium |
4.9 |
4.9 |
|
|
|
17d ago |
Keycloak: Information Disclosure via evaluate-scopes Admin API |
| CVE-2025-2559 |
medium |
4.9 |
4.9 |
|
|
|
1y ago |
Keycloak Denial of Service (DoS) Vulnerability via JWT Token Cache |
| CVE-2026-37980 |
medium |
4.8 |
4.8 |
|
|
|
2mo ago |
A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with `manage-realm` or `manage-organizations` administrative privileges can exploit a Stored Cro… |
| CVE-2026-8830 |
medium |
4.3 |
4.3 |
|
|
|
18d ago |
Keycloak: Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation |
