Build Of Keycloak
Monthly
Keycloak's ClientRegistrationAuth component can be crashed by a remote unauthenticated attacker through a specially crafted POST request bearing a malformed 'Authorization: Bearer' header, triggering an unhandled ArrayIndexOutOfBoundsException and returning HTTP 500 to all subsequent callers of the affected endpoint. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms zero prerequisites for exploitation beyond network reachability, making any publicly exposed Keycloak client registration endpoint a viable target. No public exploit has been identified at time of analysis and no EPSS data was supplied, but the trivial attack mechanics mean no specialized tooling is required to reproduce the denial of service.
Refresh token replay in Keycloak allows a remote attacker who has previously captured a user's refresh token to reuse that token after it has been revoked, bypassing session expiration controls. The vulnerability surfaces specifically when revokeRefreshToken=true is configured alongside persistent session storage, and is triggered by a server restart that resets the internal timing mechanisms responsible for enforcing token revocation. Successful exploitation can yield full account takeover, information disclosure, or privilege escalation; no public exploit identified at time of analysis and the CVE does not appear in CISA KEV.
Denial of service in Keycloak's LDAP federation layer allows an authenticated realm administrator - or an attacker who has compromised an upstream LDAP server - to crash the entire Keycloak JVM by inducing an OutOfMemoryError through a malformed LDAP password policy response. Because Keycloak typically serves multiple realms from a single JVM process, a successful attack denies service to all realms on the affected node, not just the targeted one. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Keycloak's Client-Initiated Backchannel Authentication (CIBA) flow fails to enforce brute-force account lockouts, allowing an attacker with valid OAuth client credentials to continue initiating authentication requests and obtain tokens for a user account that should be temporarily locked. This undermines the core account-protection mechanism designed to throttle credential-stuffing and password-guessing campaigns. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though its CVSS score of 4.3 understates the strategic value of bypassing a lockout policy in an identity provider.
Privilege escalation in Red Hat Build of Keycloak allows low-privileged authenticated users to assume the permissions of a client's service account by submitting an oversized subject_token JWT to the TokenEndpoint. When the token exceeds the 4000-character limit it is silently discarded rather than rejected, causing the server to fall back to client-credentials authentication and grant the attacker the client's service-account scope. No public exploit identified at time of analysis and EPSS is very low (0.04%), but CVSS rates the issue 8.8 due to full CIA impact post-exploitation.
HTTP parameter pollution in Keycloak enables authentication bypass against deployments where OAuth/OIDC client applications are configured with permissive redirect URI patterns. An unauthenticated remote attacker who can trick a user into clicking a crafted authorization URL can inject duplicate HTTP parameters into the OAuth flow, causing the client application to prioritize attacker-supplied values over server-authoritative data - potentially hijacking the authentication process or gaining unauthorized resource access. No public exploit has been identified and EPSS (0.08%, 23rd percentile) signals low real-world exploitation probability; however, the authentication bypass impact is meaningful in identity-sensitive deployments.
Stored XSS in Keycloak's organization selection login page allows authenticated administrators with manage-realm or manage-organizations privileges to inject malicious JavaScript via the organization.alias field, enabling arbitrary script execution in users' browsers when they access the login page. Exploitation requires high-privilege administrative access and user interaction (viewing the login page), with potential impact including session theft and unauthorized account actions. No public exploit code or active exploitation confirmed at time of analysis.
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. [CVSS 2.7 LOW]
Keycloak's SAML identity provider broker fails to enforce client disabled status during IdP-initiated SSO flows, allowing attackers with valid credentials to establish authenticated sessions and access other enabled clients without re-authentication. An authenticated remote attacker can exploit this authentication bypass to gain unauthorized access to protected resources across the Keycloak ecosystem. No patch is currently available.
Keycloak's IdentityBrokerService.performLogin endpoint fails to enforce disabled Identity Provider restrictions, allowing attackers with knowledge of an IdP alias to reuse previous login requests and authenticate through administratively disabled external providers. This authentication bypass affects any Keycloak deployment relying on IdP disablement as an access control mechanism. An attacker can exploit this to gain unauthorized access by circumventing intended administrative restrictions on external authentication sources.
A flaw was found in Keycloak’s WebAuthn registration component. [CVSS 3.1 LOW]
Build Of Keycloak contains a vulnerability that allows attackers to unauthorized changes to user profiles, even when the system is configured to res (CVSS 4.9).
Privilege escalation in Keycloak's Fine-Grained Admin Permissions v2 (FGAPv2) allows administrative users with the manage-users role to escalate privileges to realm-admin through improper privilege enforcement. When FGAPv2 is enabled, this vulnerability enables unauthorized elevation of administrative access rights, compromising the separation of administrative duties. No public exploit code or active exploitation has been identified at the time of analysis.
A flaw was found in Keycloak. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability was found in Wildfly, where a user may perform Cross-site scripting in the Wildfly deployment system. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A misconfiguration flaw was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A session fixation issue was discovered in the SAML adapters provided by Keycloak. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.
A vulnerability was found in Keycloak. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
An open redirect vulnerability was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability was found in Keycloak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Keycloak's ClientRegistrationAuth component can be crashed by a remote unauthenticated attacker through a specially crafted POST request bearing a malformed 'Authorization: Bearer' header, triggering an unhandled ArrayIndexOutOfBoundsException and returning HTTP 500 to all subsequent callers of the affected endpoint. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms zero prerequisites for exploitation beyond network reachability, making any publicly exposed Keycloak client registration endpoint a viable target. No public exploit has been identified at time of analysis and no EPSS data was supplied, but the trivial attack mechanics mean no specialized tooling is required to reproduce the denial of service.
Refresh token replay in Keycloak allows a remote attacker who has previously captured a user's refresh token to reuse that token after it has been revoked, bypassing session expiration controls. The vulnerability surfaces specifically when revokeRefreshToken=true is configured alongside persistent session storage, and is triggered by a server restart that resets the internal timing mechanisms responsible for enforcing token revocation. Successful exploitation can yield full account takeover, information disclosure, or privilege escalation; no public exploit identified at time of analysis and the CVE does not appear in CISA KEV.
Denial of service in Keycloak's LDAP federation layer allows an authenticated realm administrator - or an attacker who has compromised an upstream LDAP server - to crash the entire Keycloak JVM by inducing an OutOfMemoryError through a malformed LDAP password policy response. Because Keycloak typically serves multiple realms from a single JVM process, a successful attack denies service to all realms on the affected node, not just the targeted one. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Keycloak's Client-Initiated Backchannel Authentication (CIBA) flow fails to enforce brute-force account lockouts, allowing an attacker with valid OAuth client credentials to continue initiating authentication requests and obtain tokens for a user account that should be temporarily locked. This undermines the core account-protection mechanism designed to throttle credential-stuffing and password-guessing campaigns. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though its CVSS score of 4.3 understates the strategic value of bypassing a lockout policy in an identity provider.
Privilege escalation in Red Hat Build of Keycloak allows low-privileged authenticated users to assume the permissions of a client's service account by submitting an oversized subject_token JWT to the TokenEndpoint. When the token exceeds the 4000-character limit it is silently discarded rather than rejected, causing the server to fall back to client-credentials authentication and grant the attacker the client's service-account scope. No public exploit identified at time of analysis and EPSS is very low (0.04%), but CVSS rates the issue 8.8 due to full CIA impact post-exploitation.
HTTP parameter pollution in Keycloak enables authentication bypass against deployments where OAuth/OIDC client applications are configured with permissive redirect URI patterns. An unauthenticated remote attacker who can trick a user into clicking a crafted authorization URL can inject duplicate HTTP parameters into the OAuth flow, causing the client application to prioritize attacker-supplied values over server-authoritative data - potentially hijacking the authentication process or gaining unauthorized resource access. No public exploit has been identified and EPSS (0.08%, 23rd percentile) signals low real-world exploitation probability; however, the authentication bypass impact is meaningful in identity-sensitive deployments.
Stored XSS in Keycloak's organization selection login page allows authenticated administrators with manage-realm or manage-organizations privileges to inject malicious JavaScript via the organization.alias field, enabling arbitrary script execution in users' browsers when they access the login page. Exploitation requires high-privilege administrative access and user interaction (viewing the login page), with potential impact including session theft and unauthorized account actions. No public exploit code or active exploitation confirmed at time of analysis.
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. [CVSS 2.7 LOW]
Keycloak's SAML identity provider broker fails to enforce client disabled status during IdP-initiated SSO flows, allowing attackers with valid credentials to establish authenticated sessions and access other enabled clients without re-authentication. An authenticated remote attacker can exploit this authentication bypass to gain unauthorized access to protected resources across the Keycloak ecosystem. No patch is currently available.
Keycloak's IdentityBrokerService.performLogin endpoint fails to enforce disabled Identity Provider restrictions, allowing attackers with knowledge of an IdP alias to reuse previous login requests and authenticate through administratively disabled external providers. This authentication bypass affects any Keycloak deployment relying on IdP disablement as an access control mechanism. An attacker can exploit this to gain unauthorized access by circumventing intended administrative restrictions on external authentication sources.
A flaw was found in Keycloak’s WebAuthn registration component. [CVSS 3.1 LOW]
Build Of Keycloak contains a vulnerability that allows attackers to unauthorized changes to user profiles, even when the system is configured to res (CVSS 4.9).
Privilege escalation in Keycloak's Fine-Grained Admin Permissions v2 (FGAPv2) allows administrative users with the manage-users role to escalate privileges to realm-admin through improper privilege enforcement. When FGAPv2 is enabled, this vulnerability enables unauthorized elevation of administrative access rights, compromising the separation of administrative duties. No public exploit code or active exploitation has been identified at the time of analysis.
A flaw was found in Keycloak. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability was found in Wildfly, where a user may perform Cross-site scripting in the Wildfly deployment system. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
A misconfiguration flaw was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A session fixation issue was discovered in the SAML adapters provided by Keycloak. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.
A vulnerability was found in Keycloak. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.
An open redirect vulnerability was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability was found in Keycloak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.