VIR Vulnerability Intelligence Relay

Package impact

java Maven / org.keycloak:keycloak-services

Severitycriticalhighmediumlowunknown
0
KEVHas exploit
Reset
CVE Severity CVSS Risk Flags OS Vendor Published Description
CVE-2026-37977 unknown 2mo ago Keycloak vulnerable to information disclosure via CORS header injection due to unvalidated JWT azp claim
CVE-2026-4282 unknown 2mo ago Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw
CVE-2026-4636 unknown 2mo ago Keycloak: UMA Policy Resource Injection Allows Unauthorized Cross-User Permission Grants
CVE-2026-4634 unknown 2mo ago Keycloak: Application-Level DoS via Scope Processing
CVE-2026-4325 unknown 2mo ago Keycloak: Replay of action tokens via improper handling of single-use entries
CVE-2026-3872 unknown 2mo ago Keycloak: Redirect URI validation bypass via ..;/ path traversal in OIDC auth endpoint
CVE-2026-3121 unknown 2mo ago Keycloak: manage-clients permission escalates to full realm admin access
CVE-2026-3190 unknown 2mo ago Keycloak: Missing Role Enforcement on UMA 2.0 Permission Ticket Endpoint Leads to Information Disclosure
CVE-2026-4633 unknown 2mo ago Keycloak's identity-first login flow exposes user information
CVE-2026-4628 unknown 2mo ago Keycloak has Improper Access Control that allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false
CVE-2026-2092 unknown 3mo ago Keycloak: Unauthorized access via improper validation of encrypted SAML assertions
CVE-2026-3429 unknown 3mo ago Keycloak: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API
CVE-2026-3009 unknown 3mo ago Keycloak allows authentication using an Identity Provider (IdP) even after it has been disabled by an administrator
CVE-2025-12150 unknown 3mo ago Keycloak REST Services has a WebAuthn Attestation Statement Verification Bypass
CVE-2026-2733 unknown 4mo ago Keycloak: Missing Check on Disabled Client for Docker Registry Protocol
CVE-2026-1529 unknown 4mo ago Keycloak affected by improper invitation token validation
CVE-2026-1486 unknown 4mo ago Keycloak fails to verify if an Identity Provider (IdP) is enabled before issuing tokens
CVE-2025-14778 unknown 4mo ago Keycloak Affected by Broken Access Control Vulnerability in the UserManagedPermissionService
CVE-2025-13881 unknown 4mo ago Keycloak Admin API allows an administrator with limited privileges to retrieve sensitive custom attributes
CVE-2026-1190 unknown 4mo ago Keycloak's missing timestamp validation allows attackers to extend SAML response validity periods
CVE-2025-14083 unknown 4mo ago Keycloak Admin REST API exposes backend schema and rules
CVE-2025-14559 unknown 4mo ago Keycloak services allows the issuance of access and refresh tokens for disabled users
CVE-2026-1035 unknown 4mo ago Keycloak does not validate and update refresh token usage atomically
CVE-2025-14082 unknown 6mo ago Keycloak Admin REST (Representational State Transfer) API does not properly enforce permissions
CVE-2025-12390 unknown 7mo ago Keycloak vulnerable to session takeovers due to reuse of session identifiers
CVE-2025-12110 unknown 7mo ago Keycloak does not invalidate offline sessions when the offline_access scope is removed
CVE-2025-11429 unknown 7mo ago Keycloak does not invalidate sessions when "Remember Me" is disabled
CVE-2025-8419 unknown 9mo ago Keycloak SMTP Inject Vulnerability
CVE-2025-3910 unknown 1y ago Keycloak vulnerable to two factor authentication bypass
CVE-2025-3501 unknown 1y ago Keycloak hostname verification
CVE-2024-7341 unknown 2y ago Keycloak has session fixation in Elytron SAML adapters
CVE-2024-8883 unknown 2y ago Keycloak has Vulnerable Redirect URI Validation Results in Open Redirect
CVE-2024-4629 unknown 2y ago Keycloak Services has a potential bypass of brute force protection
CVE-2024-1722 unknown 2y ago Keycloak Denial of Service via account lockout
CVE-2021-3754 unknown 2y ago Keycloak's improper input validation allows using email as username
CVE-2024-3656 unknown 2y ago Keycloak's admin API allows low privilege users to use administrative functions
CVE-2024-4540 unknown 2y ago Keycloak exposes sensitive information in Pushed Authorization Requests (PAR)
CVE-2023-0657 unknown 2y ago Keycloak vulnerable to impersonation via logout token exchange
CVE-2023-6787 unknown 2y ago Keycloak vulnerable to session hijacking via re-authentication
CVE-2024-1132 unknown 2y ago Keycloak path traversal vulnerability in redirection validation
CVE-2023-6484 unknown 2y ago Keycloak vulnerable to log Injection during WebAuthn authentication or registration
CVE-2023-6544 unknown 2y ago Keycloak Authorization Bypass vulnerability
CVE-2023-3597 unknown 2y ago Keycloak secondary factor bypass in step-up authentication
CVE-2024-2419 unknown 2y ago Keycloak path traversal vulnerability in the redirect validation
CVE-2023-6291 unknown 3y ago The redirect_uri validation logic allows for bypassing explicitly allowed hosts that would otherwise be restricted
CVE-2023-6134 unknown 3y ago Keycloak vulnerable to reflected XSS via wildcard in OIDC redirect_uri
CVE-2022-2232 unknown 3y ago Keycloak vulnerable to LDAP Injection on UsernameForm Login
CVE-2023-2422 unknown 3y ago Keycloak vulnerable to Improper Client Certificate Validation for OAuth/OpenID clients
CVE-2022-4361 unknown 3y ago Keycloak vulnerable to cross-site scripting when validating URI-schemes on SAML and OIDC
CVE-2023-2585 unknown 3y ago Client Spoofing within the Keycloak Device Authorisation Grant
CVE-2023-0264 unknown 3y ago Keycloak vulnerable to user impersonation via stolen UUID code
CVE-2022-1274 unknown 3y ago HTML Injection in Keycloak Admin REST API
CVE-2022-1438 unknown 3y ago Keycloak vulnerable to Cross-site Scripting
CVE-2014-3652 unknown 4y ago JBoss KeyCloak Open Redirect
CVE-2018-10894 unknown 4y ago Keycloak Authentication Error
CVE-2022-1245 unknown 4y ago Keycloak vulnerable to privilege escalation on Token Exchange feature
CVE-2020-10776 unknown 4y ago Cross-site Scripting in keycloak
CVE-2021-4133 unknown 5y ago Improper Authorization in Keycloak