Skip to main content

Build Of Keycloak

22 CVEs product

Monthly

CVE-2026-9803 Maven MEDIUM PATCH This Month

Keycloak's ClientRegistrationAuth component can be crashed by a remote unauthenticated attacker through a specially crafted POST request bearing a malformed 'Authorization: Bearer' header, triggering an unhandled ArrayIndexOutOfBoundsException and returning HTTP 500 to all subsequent callers of the affected endpoint. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms zero prerequisites for exploitation beyond network reachability, making any publicly exposed Keycloak client registration endpoint a viable target. No public exploit has been identified at time of analysis and no EPSS data was supplied, but the trivial attack mechanics mean no specialized tooling is required to reproduce the denial of service.

Information Disclosure Denial Of Service Buffer Overflow Build Of Keycloak
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-9802 Maven MEDIUM PATCH This Month

Refresh token replay in Keycloak allows a remote attacker who has previously captured a user's refresh token to reuse that token after it has been revoked, bypassing session expiration controls. The vulnerability surfaces specifically when revokeRefreshToken=true is configured alongside persistent session storage, and is triggered by a server restart that resets the internal timing mechanisms responsible for enforcing token revocation. Successful exploitation can yield full account takeover, information disclosure, or privilege escalation; no public exploit identified at time of analysis and the CVE does not appear in CISA KEV.

Privilege Escalation Information Disclosure Authentication Bypass Build Of Keycloak
NVD VulDB
CVSS 3.1
6.8
EPSS
0.0%
CVE-2026-9801 Maven MEDIUM PATCH This Month

Denial of service in Keycloak's LDAP federation layer allows an authenticated realm administrator - or an attacker who has compromised an upstream LDAP server - to crash the entire Keycloak JVM by inducing an OutOfMemoryError through a malformed LDAP password policy response. Because Keycloak typically serves multiple realms from a single JVM process, a successful attack denies service to all realms on the affected node, not just the targeted one. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Java Denial Of Service Build Of Keycloak
NVD VulDB
CVSS 3.1
4.9
EPSS
0.3%
CVE-2026-9798 Maven MEDIUM This Month

Keycloak's Client-Initiated Backchannel Authentication (CIBA) flow fails to enforce brute-force account lockouts, allowing an attacker with valid OAuth client credentials to continue initiating authentication requests and obtain tokens for a user account that should be temporarily locked. This undermines the core account-protection mechanism designed to throttle credential-stuffing and password-guessing campaigns. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though its CVSS score of 4.3 understates the strategic value of bypassing a lockout policy in an identity provider.

Authentication Bypass Build Of Keycloak
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-9704 Maven HIGH PATCH This Week

Privilege escalation in Red Hat Build of Keycloak allows low-privileged authenticated users to assume the permissions of a client's service account by submitting an oversized subject_token JWT to the TokenEndpoint. When the token exceeds the 4000-character limit it is silently discarded rather than rejected, causing the server to fall back to client-credentials authentication and grant the attacker the client's service-account scope. No public exploit identified at time of analysis and EPSS is very low (0.04%), but CVSS rates the issue 8.8 due to full CIA impact post-exploitation.

Privilege Escalation Build Of Keycloak
NVD VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-9689 Maven MEDIUM This Month

HTTP parameter pollution in Keycloak enables authentication bypass against deployments where OAuth/OIDC client applications are configured with permissive redirect URI patterns. An unauthenticated remote attacker who can trick a user into clicking a crafted authorization URL can inject duplicate HTTP parameters into the OAuth flow, causing the client application to prioritize attacker-supplied values over server-authoritative data - potentially hijacking the authentication process or gaining unauthorized resource access. No public exploit has been identified and EPSS (0.08%, 23rd percentile) signals low real-world exploitation probability; however, the authentication bypass impact is meaningful in identity-sensitive deployments.

Authentication Bypass Build Of Keycloak
NVD
CVSS 3.1
4.2
EPSS
0.1%
CVE-2026-37980 Maven MEDIUM This Month

Stored XSS in Keycloak's organization selection login page allows authenticated administrators with manage-realm or manage-organizations privileges to inject malicious JavaScript via the organization.alias field, enabling arbitrary script execution in users' browsers when they access the login page. Exploitation requires high-privilege administrative access and user interaction (viewing the login page), with potential impact including session theft and unauthorized account actions. No public exploit code or active exploitation confirmed at time of analysis.

XSS Build Of Keycloak
NVD VulDB
CVSS 3.1
6.9
EPSS
0.1%
CVE-2026-3911 Maven LOW Monitor

A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. [CVSS 2.7 LOW]

Information Disclosure Build Of Keycloak
NVD
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-3047 Maven HIGH PATCH This Week

Keycloak's SAML identity provider broker fails to enforce client disabled status during IdP-initiated SSO flows, allowing attackers with valid credentials to establish authenticated sessions and access other enabled clients without re-authentication. An authenticated remote attacker can exploit this authentication bypass to gain unauthorized access to protected resources across the Keycloak ecosystem. No patch is currently available.

Authentication Bypass Build Of Keycloak Keycloak
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2026-3009 Maven HIGH PATCH This Week

Keycloak's IdentityBrokerService.performLogin endpoint fails to enforce disabled Identity Provider restrictions, allowing attackers with knowledge of an IdP alias to reuse previous login requests and authenticate through administratively disabled external providers. This authentication bypass affects any Keycloak deployment relying on IdP disablement as an access control mechanism. An attacker can exploit this to gain unauthorized access by circumventing intended administrative restrictions on external authentication sources.

Authentication Bypass Build Of Keycloak Jboss Enterprise Application Platform Jboss Enterprise Application Platform Expansion Pack Single Sign On
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2025-12150 Maven LOW PATCH Monitor

A flaw was found in Keycloak’s WebAuthn registration component. [CVSS 3.1 LOW]

Authentication Bypass Build Of Keycloak Keycloak
NVD GitHub
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-0871 Maven MEDIUM PATCH This Month

Build Of Keycloak contains a vulnerability that allows attackers to unauthorized changes to user profiles, even when the system is configured to res (CVSS 4.9).

Authentication Bypass Keycloak Build Of Keycloak Red Hat
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-7784 Maven MEDIUM PATCH This Month

Privilege escalation in Keycloak's Fine-Grained Admin Permissions v2 (FGAPv2) allows administrative users with the manage-users role to escalate privileges to realm-admin through improper privilege enforcement. When FGAPv2 is enabled, this vulnerability enables unauthorized elevation of administrative access rights, compromising the separation of administrative duties. No public exploit code or active exploitation has been identified at the time of analysis.

Privilege Escalation Build Of Keycloak Red Hat
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-3910 Maven MEDIUM PATCH This Month

A flaw was found in Keycloak. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Build Of Keycloak Red Hat
NVD GitHub
CVSS 3.1
5.4
EPSS
0.1%
CVE-2024-10234 HIGH This Week

A vulnerability was found in Wildfly, where a user may perform Cross-site scripting in the Wildfly deployment system. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Build Of Keycloak Jboss Enterprise Application Platform
NVD
CVSS 3.1
7.3
EPSS
0.7%
CVE-2024-8883 Maven MEDIUM POC PATCH This Month

A misconfiguration flaw was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Build Of Keycloak Openshift Container Platform Openshift Container Platform For Ibm Z Openshift Container Platform For Linuxone +2
NVD GitHub
CVSS 3.1
6.1
EPSS
2.0%
CVE-2024-7341 Maven HIGH PATCH This Month

A session fixation issue was discovered in the SAML adapters provided by Keycloak. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Session Fixation Information Disclosure Keycloak Single Sign On Build Of Keycloak
NVD GitHub
CVSS 3.1
7.1
EPSS
1.7%
CVE-2024-7318 Maven MEDIUM PATCH This Month

A vulnerability was found in Keycloak. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Build Of Keycloak
NVD
CVSS 3.1
4.8
EPSS
0.4%
CVE-2024-7260 Maven MEDIUM PATCH This Month

An open redirect vulnerability was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Build Of Keycloak Keycloak
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2024-4629 Maven MEDIUM PATCH This Month

A vulnerability was found in Keycloak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Keycloak Build Of Keycloak Single Sign On Openshift Container Platform +3
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2024-7885 Maven HIGH PATCH This Week

A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Race Condition Information Disclosure Build Of Apache Camel Hawtio Build Of Apache Camel For Spring Boot Build Of Keycloak +6
NVD
CVSS 3.1
7.5
EPSS
2.6%
CVE-2024-1132 Maven HIGH PATCH This Week

A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Build Of Keycloak Jboss Middleware Text Only Advisories Keycloak Migration Toolkit For Applications +6
NVD
CVSS 3.1
8.1
EPSS
1.6%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Keycloak's ClientRegistrationAuth component can be crashed by a remote unauthenticated attacker through a specially crafted POST request bearing a malformed 'Authorization: Bearer' header, triggering an unhandled ArrayIndexOutOfBoundsException and returning HTTP 500 to all subsequent callers of the affected endpoint. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms zero prerequisites for exploitation beyond network reachability, making any publicly exposed Keycloak client registration endpoint a viable target. No public exploit has been identified at time of analysis and no EPSS data was supplied, but the trivial attack mechanics mean no specialized tooling is required to reproduce the denial of service.

Information Disclosure Denial Of Service Buffer Overflow +1
NVD VulDB
EPSS 0% CVSS 6.8
MEDIUM PATCH This Month

Refresh token replay in Keycloak allows a remote attacker who has previously captured a user's refresh token to reuse that token after it has been revoked, bypassing session expiration controls. The vulnerability surfaces specifically when revokeRefreshToken=true is configured alongside persistent session storage, and is triggered by a server restart that resets the internal timing mechanisms responsible for enforcing token revocation. Successful exploitation can yield full account takeover, information disclosure, or privilege escalation; no public exploit identified at time of analysis and the CVE does not appear in CISA KEV.

Privilege Escalation Information Disclosure Authentication Bypass +1
NVD VulDB
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Denial of service in Keycloak's LDAP federation layer allows an authenticated realm administrator - or an attacker who has compromised an upstream LDAP server - to crash the entire Keycloak JVM by inducing an OutOfMemoryError through a malformed LDAP password policy response. Because Keycloak typically serves multiple realms from a single JVM process, a successful attack denies service to all realms on the affected node, not just the targeted one. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Java Denial Of Service Build Of Keycloak
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Keycloak's Client-Initiated Backchannel Authentication (CIBA) flow fails to enforce brute-force account lockouts, allowing an attacker with valid OAuth client credentials to continue initiating authentication requests and obtain tokens for a user account that should be temporarily locked. This undermines the core account-protection mechanism designed to throttle credential-stuffing and password-guessing campaigns. No public exploit has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though its CVSS score of 4.3 understates the strategic value of bypassing a lockout policy in an identity provider.

Authentication Bypass Build Of Keycloak
NVD VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Privilege escalation in Red Hat Build of Keycloak allows low-privileged authenticated users to assume the permissions of a client's service account by submitting an oversized subject_token JWT to the TokenEndpoint. When the token exceeds the 4000-character limit it is silently discarded rather than rejected, causing the server to fall back to client-credentials authentication and grant the attacker the client's service-account scope. No public exploit identified at time of analysis and EPSS is very low (0.04%), but CVSS rates the issue 8.8 due to full CIA impact post-exploitation.

Privilege Escalation Build Of Keycloak
NVD VulDB
EPSS 0% CVSS 4.2
MEDIUM This Month

HTTP parameter pollution in Keycloak enables authentication bypass against deployments where OAuth/OIDC client applications are configured with permissive redirect URI patterns. An unauthenticated remote attacker who can trick a user into clicking a crafted authorization URL can inject duplicate HTTP parameters into the OAuth flow, causing the client application to prioritize attacker-supplied values over server-authoritative data - potentially hijacking the authentication process or gaining unauthorized resource access. No public exploit has been identified and EPSS (0.08%, 23rd percentile) signals low real-world exploitation probability; however, the authentication bypass impact is meaningful in identity-sensitive deployments.

Authentication Bypass Build Of Keycloak
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

Stored XSS in Keycloak's organization selection login page allows authenticated administrators with manage-realm or manage-organizations privileges to inject malicious JavaScript via the organization.alias field, enabling arbitrary script execution in users' browsers when they access the login page. Exploitation requires high-privilege administrative access and user interaction (viewing the login page), with potential impact including session theft and unauthorized account actions. No public exploit code or active exploitation confirmed at time of analysis.

XSS Build Of Keycloak
NVD VulDB
EPSS 0% CVSS 2.7
LOW Monitor

A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. [CVSS 2.7 LOW]

Information Disclosure Build Of Keycloak
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Keycloak's SAML identity provider broker fails to enforce client disabled status during IdP-initiated SSO flows, allowing attackers with valid credentials to establish authenticated sessions and access other enabled clients without re-authentication. An authenticated remote attacker can exploit this authentication bypass to gain unauthorized access to protected resources across the Keycloak ecosystem. No patch is currently available.

Authentication Bypass Build Of Keycloak Keycloak
NVD VulDB
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Keycloak's IdentityBrokerService.performLogin endpoint fails to enforce disabled Identity Provider restrictions, allowing attackers with knowledge of an IdP alias to reuse previous login requests and authenticate through administratively disabled external providers. This authentication bypass affects any Keycloak deployment relying on IdP disablement as an access control mechanism. An attacker can exploit this to gain unauthorized access by circumventing intended administrative restrictions on external authentication sources.

Authentication Bypass Build Of Keycloak Jboss Enterprise Application Platform +2
NVD
EPSS 0% CVSS 3.1
LOW PATCH Monitor

A flaw was found in Keycloak’s WebAuthn registration component. [CVSS 3.1 LOW]

Authentication Bypass Build Of Keycloak Keycloak
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Build Of Keycloak contains a vulnerability that allows attackers to unauthorized changes to user profiles, even when the system is configured to res (CVSS 4.9).

Authentication Bypass Keycloak Build Of Keycloak +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Privilege escalation in Keycloak's Fine-Grained Admin Permissions v2 (FGAPv2) allows administrative users with the manage-users role to escalate privileges to realm-admin through improper privilege enforcement. When FGAPv2 is enabled, this vulnerability enables unauthorized elevation of administrative access rights, compromising the separation of administrative duties. No public exploit code or active exploitation has been identified at the time of analysis.

Privilege Escalation Build Of Keycloak Red Hat
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

A flaw was found in Keycloak. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Build Of Keycloak Red Hat
NVD GitHub
EPSS 1% CVSS 7.3
HIGH This Week

A vulnerability was found in Wildfly, where a user may perform Cross-site scripting in the Wildfly deployment system. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Build Of Keycloak Jboss Enterprise Application Platform
NVD
EPSS 2% CVSS 6.1
MEDIUM POC PATCH This Month

A misconfiguration flaw was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Build Of Keycloak Openshift Container Platform +4
NVD GitHub
EPSS 2% CVSS 7.1
HIGH PATCH This Month

A session fixation issue was discovered in the SAML adapters provided by Keycloak. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Session Fixation Information Disclosure Keycloak +2
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

A vulnerability was found in Keycloak. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Build Of Keycloak
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

An open redirect vulnerability was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Build Of Keycloak Keycloak
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

A vulnerability was found in Keycloak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Keycloak Build Of Keycloak +5
NVD GitHub
EPSS 3% CVSS 7.5
HIGH PATCH This Week

A vulnerability was found in Undertow where the ProxyProtocolReadListener reuses the same StringBuilder instance across multiple requests. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Race Condition Information Disclosure Build Of Apache Camel Hawtio +8
NVD
EPSS 2% CVSS 8.1
HIGH PATCH This Week

A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Build Of Keycloak Jboss Middleware Text Only Advisories +8
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy