| CVE-2014-3709 |
high |
8.8 |
8.8 |
|
|
|
9y ago |
JBoss Keycloak CSRF Vulnerability |
| CVE-2026-7504 |
high |
8.1 |
8.1 |
|
|
|
17d ago |
Keycloak: Open redirect when using wildcard valid redirect URIs in Keycloak |
| CVE-2026-2603 |
high |
— |
8.0 |
|
|
|
3mo ago |
Keycloak: Unauthorized authentication via disabled SAML Identity Provider |
| CVE-2021-3424 |
high |
— |
8.0 |
|
|
|
4y ago |
Keycloak is vulnerable to IDN homograph attack |
| CVE-2026-7507 |
high |
7.5 |
7.5 |
|
|
|
17d ago |
Keycloak: Session fixation in OIDC login flow that can lead to account takeover |
| CVE-2024-1249 |
high |
7.4 |
7.4 |
|
|
|
2y ago |
A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seco… |
| CVE-2026-7571 |
high |
7.1 |
7.1 |
|
|
|
17d ago |
Keycloak: Access token disclosure and implicit flow bypass via forged client data |
| CVE-2025-7365 |
high |
7.1 |
7.1 |
|
|
|
11mo ago |
Keycloak phishing attack via email verification step in first login flow |
| CVE-2026-37982 |
medium |
6.8 |
6.8 |
|
|
|
17d ago |
Keycloak: Unauthorized account takeover via WebAuthn token replay |
| CVE-2026-37979 |
medium |
6.5 |
6.5 |
|
|
|
17d ago |
Keycloak: Information disclosure via OIDC token introspection endpoint audience bypass |
| CVE-2025-7784 |
medium |
6.5 |
6.5 |
|
|
|
11mo ago |
Keycloak Privilege Escalation Vulnerability in Admin Console (FGAPv2 Enabled) |
| CVE-2024-10270 |
medium |
6.5 |
6.5 |
|
|
|
2y ago |
org.keycloak:keycloak-services has Inefficient Regular Expression Complexity |
| CVE-2023-6717 |
medium |
6.0 |
6.0 |
|
|
|
2y ago |
A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cr… |
| CVE-2026-8922 |
medium |
5.4 |
5.4 |
|
|
|
17d ago |
Keycloak: Revoked Tokens Can Remain Active When Both Realm-Level and Client-Level `notBefore` Revocation Policies are Configured |
| CVE-2026-7500 |
medium |
5.4 |
5.4 |
|
|
|
1mo ago |
Keycloak has a Forced Browsing issue |
| CVE-2025-1391 |
medium |
5.4 |
5.4 |
|
|
|
1y ago |
Improper Authorization in Keycloak Organization Mapper Allows Unauthorized Organization Claims |
| CVE-2026-2575 |
medium |
5.3 |
5.3 |
|
|
|
3mo ago |
A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding.… |
| CVE-2026-37978 |
medium |
4.9 |
4.9 |
|
|
|
17d ago |
Keycloak: Information Disclosure via evaluate-scopes Admin API |
| CVE-2025-2559 |
medium |
4.9 |
4.9 |
|
|
|
1y ago |
Keycloak Denial of Service (DoS) Vulnerability via JWT Token Cache |
| CVE-2026-37980 |
medium |
4.8 |
4.8 |
|
|
|
2mo ago |
A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with `manage-realm` or `manage-organizations` administrative privileges can exploit a Stored Cro… |
| CVE-2026-8830 |
medium |
4.3 |
4.3 |
|
|
|
17d ago |
Keycloak: Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation |
