Skip to main content

Keycloak

66 CVEs product

Monthly

CVE-2026-1609 HIGH PATCH This Week

Access-control bypass in Keycloak (fixed in 26.5.3) lets a disabled user account still obtain valid tokens through the JWT authorization grant preview feature. When that feature is enabled, Keycloak omits the account-enabled check during JWT authorization grant processing, so a low-privileged remote attacker who can present a valid assertion token from an external identity provider can mint a JWT for an account an administrator has explicitly disabled, regaining access to protected resources. No public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Keycloak Red Hat Jboss Enterprise Application Platform 8 Red Hat Jboss Enterprise Application Platform Expansion Pack
NVD GitHub VulDB
CVSS 3.1
8.1
CVE-2026-3047 Maven HIGH PATCH This Week

Keycloak's SAML identity provider broker fails to enforce client disabled status during IdP-initiated SSO flows, allowing attackers with valid credentials to establish authenticated sessions and access other enabled clients without re-authentication. An authenticated remote attacker can exploit this authentication bypass to gain unauthorized access to protected resources across the Keycloak ecosystem. No patch is currently available.

Authentication Bypass Build Of Keycloak Keycloak
NVD VulDB
CVSS 3.1
8.8
EPSS
0.4%
CVE-2025-12150 Maven LOW PATCH Monitor

A flaw was found in Keycloak’s WebAuthn registration component. [CVSS 3.1 LOW]

Authentication Bypass Build Of Keycloak Keycloak
NVD GitHub
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-0871 Maven MEDIUM PATCH This Month

Build Of Keycloak contains a vulnerability that allows attackers to unauthorized changes to user profiles, even when the system is configured to res (CVSS 4.9).

Authentication Bypass Keycloak Build Of Keycloak Red Hat
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-8419 Maven MEDIUM PATCH This Month

A vulnerability was found in Keycloak-services. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Keycloak Red Hat
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2024-7341 Maven HIGH PATCH This Month

A session fixation issue was discovered in the SAML adapters provided by Keycloak. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Session Fixation Information Disclosure Keycloak Single Sign On Build Of Keycloak
NVD GitHub
CVSS 3.1
7.1
EPSS
1.7%
CVE-2024-7260 Maven MEDIUM PATCH This Month

An open redirect vulnerability was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Build Of Keycloak Keycloak
NVD
CVSS 3.1
6.1
EPSS
0.5%
CVE-2024-4629 Maven MEDIUM PATCH This Month

A vulnerability was found in Keycloak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Keycloak Build Of Keycloak Single Sign On Openshift Container Platform +3
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2024-1132 Maven HIGH PATCH This Week

A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Build Of Keycloak Jboss Middleware Text Only Advisories Keycloak Migration Toolkit For Applications +6
NVD
CVSS 3.1
8.1
EPSS
1.6%
CVE-2024-1722 Maven MEDIUM PATCH This Month

A flaw was found in Keycloak. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Keycloak
NVD
CVSS 3.1
5.3
EPSS
0.8%
CVE-2023-6927 Maven MEDIUM PATCH This Month

A flaw was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Keycloak Single Sign On
NVD
CVSS 3.1
6.1
EPSS
1.1%
CVE-2023-48795 LIB MEDIUM POC PATCH THREAT This Month

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 53.6%.

Authentication Bypass Apache Node.js SSH Java +66
NVD GitHub
CVSS 3.1
5.9
EPSS
53.6%
Threat
4.3
CVE-2023-6134 Maven MEDIUM POC PATCH This Month

A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Single Sign On Keycloak Openshift Container Platform Openshift Container Platform For Power +1
NVD
CVSS 3.1
5.4
EPSS
0.9%
CVE-2023-6563 Maven HIGH POC PATCH This Week

An unconstrained memory consumption vulnerability was discovered in Keycloak. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Keycloak Single Sign On Openshift Container Platform Openshift Container Platform For Power +1
NVD GitHub
CVSS 3.1
7.7
EPSS
1.2%
CVE-2023-2422 Maven HIGH PATCH This Week

A flaw was found in Keycloak. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Keycloak Openshift Container Platform Single Sign On
NVD
CVSS 3.1
7.1
EPSS
0.5%
CVE-2023-4918 Maven HIGH PATCH This Week

A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Keycloak
NVD GitHub
CVSS 3.1
8.8
EPSS
0.5%
CVE-2023-0264 Maven MEDIUM PATCH This Month

A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Keycloak Single Sign On Openshift Container Platform Openshift Container Platform For Ibm Linuxone +1
NVD
CVSS 3.1
5.0
EPSS
1.3%
CVE-2023-1664 Maven MEDIUM PATCH This Month

A flaw was found in Keycloak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Build Of Quarkus Jboss A Mq Keycloak Migration Toolkit For Runtimes +1
NVD
CVSS 3.1
6.5
EPSS
0.4%
CVE-2023-0105 Maven MEDIUM PATCH This Month

A flaw was found in Keycloak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Keycloak
NVD
CVSS 3.1
6.5
EPSS
0.7%
CVE-2023-0091 Maven LOW PATCH Monitor

A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Keycloak
NVD
CVSS 3.1
3.8
EPSS
0.5%
CVE-2022-0225 Maven MEDIUM POC This Month

A flaw was found in Keycloak. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Keycloak Single Sign On
NVD GitHub
CVSS 3.1
5.4
EPSS
2.7%
CVE-2022-2668 Maven HIGH PATCH This Week

An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Keycloak Single Sign On
NVD
CVSS 3.1
7.2
EPSS
0.9%
CVE-2022-1245 Maven CRITICAL PATCH Act Now

A privilege escalation flaw was found in the token exchange feature of keycloak. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Authentication Bypass Microsoft Keycloak
NVD GitHub
CVSS 3.1
9.8
EPSS
1.3%
CVE-2022-1466 Maven MEDIUM POC PATCH This Month

Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Red Hat Keycloak Single Sign On
NVD
CVSS 3.1
6.5
EPSS
1.1%
CVE-2021-3637 Maven HIGH PATCH This Week

A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Keycloak Single Sign On
NVD
CVSS 3.1
7.5
EPSS
1.1%
CVE-2021-20195 Maven CRITICAL PATCH Act Now

A flaw was found in keycloak in versions before 13.0.0. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Keycloak
NVD
CVSS 3.1
9.6
EPSS
1.2%
CVE-2021-20202 Maven HIGH PATCH This Week

A flaw was found in keycloak. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Java Keycloak
NVD
CVSS 3.1
7.3
EPSS
0.3%
CVE-2021-20222 Maven HIGH PATCH This Week

A flaw was found in keycloak. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Keycloak
NVD
CVSS 3.1
7.5
EPSS
1.2%
CVE-2021-20262 Maven MEDIUM This Month

A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Keycloak Single Sign On
NVD
CVSS 3.1
6.8
EPSS
0.3%
CVE-2020-14302 MEDIUM This Month

A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Keycloak
NVD
CVSS 3.1
4.9
EPSS
1.0%
CVE-2020-10770 Maven MEDIUM POC PATCH THREAT This Month

A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Keycloak
NVD Exploit-DB
CVSS 3.1
5.3
EPSS
69.7%
CVE-2020-14389 Maven HIGH PATCH This Week

It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Keycloak
NVD
CVSS 3.1
8.1
EPSS
0.8%
CVE-2020-10776 Maven MEDIUM PATCH This Month

A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Keycloak
NVD
CVSS 3.1
4.8
EPSS
0.8%
CVE-2020-14366 Maven HIGH PATCH This Week

A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the resources endpoint applies a transformation of the url path to the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Keycloak
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2020-1694 Maven MEDIUM PATCH This Month

A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Keycloak
NVD
CVSS 3.1
4.9
EPSS
1.6%
CVE-2020-10748 Maven MEDIUM PATCH This Month

A flaw was found in Keycloak's data filter, in version 10.0.1, where it allowed the processing of data URLs in some circumstances. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Keycloak Single Sign On
NVD
CVSS 3.1
6.1
EPSS
0.9%
CVE-2020-10758 Maven HIGH PATCH This Week

A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Keycloak Openshift Application Runtimes Single Sign On
NVD GitHub
CVSS 3.1
7.5
EPSS
2.2%
CVE-2020-1727 MEDIUM This Month

A vulnerability was found in Keycloak before 9.0.2, where every Authorization URL that points to an IDP server lacks proper input validation as it allows a wide range of characters. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Keycloak
NVD
CVSS 3.1
5.4
EPSS
0.8%
CVE-2020-1758 Maven MEDIUM PATCH This Month

A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Keycloak Openstack
NVD
CVSS 3.1
5.9
EPSS
0.9%
CVE-2020-1714 Maven HIGH PATCH This Week

A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Java RCE Keycloak Decision Manager Jboss Fuse +4
NVD GitHub
CVSS 3.1
8.8
EPSS
2.6%
CVE-2020-1718 Maven HIGH PATCH This Week

A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jboss Fuse Keycloak Openshift Application Runtimes
NVD
CVSS 3.1
8.8
EPSS
1.0%
CVE-2020-1724 Maven MEDIUM PATCH This Month

A flaw was found in Keycloak in versions before 9.0.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Keycloak Openshift Application Runtimes Single Sign On
NVD
CVSS 3.1
4.3
EPSS
0.8%
CVE-2020-1698 Maven MEDIUM PATCH This Month

A flaw was found in keycloak in versions before 9.0.0. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Keycloak
NVD
CVSS 3.1
5.5
EPSS
0.4%
CVE-2020-10686 Maven MEDIUM PATCH This Month

A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Keycloak
NVD
CVSS 3.1
4.7
EPSS
0.7%
CVE-2020-1728 Maven MEDIUM This Month

A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Keycloak Quarkus
NVD
CVSS 3.1
5.4
EPSS
0.8%
CVE-2020-1744 Maven MEDIUM PATCH This Month

A flaw was found in keycloak before version 9.0.1. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Keycloak
NVD
CVSS 3.1
5.6
EPSS
1.1%
CVE-2020-1697 Maven MEDIUM PATCH This Month

It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Keycloak Single Sign On
NVD
CVSS 3.1
5.4
EPSS
0.8%
CVE-2019-14910 Maven CRITICAL Act Now

A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Keycloak
NVD
CVSS 3.1
9.8
EPSS
1.1%
CVE-2019-14909 Maven HIGH This Week

A vulnerability was found in Keycloak 7.x where the user federation LDAP bind type is none (LDAP anonymous bind), any password, invalid or valid will be accepted. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Keycloak
NVD
CVSS 3.1
8.3
EPSS
1.1%
CVE-2019-14832 Maven HIGH PATCH This Week

A flaw was found in the Keycloak REST API before version 8.0.0 where it would permit user access from a realm the user was not configured. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Keycloak
NVD
CVSS 3.1
7.5
EPSS
0.5%
CVE-2019-10201 Maven HIGH PATCH This Week

It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Keycloak Single Sign On
NVD
CVSS 3.1
8.1
EPSS
0.7%
CVE-2019-10199 Maven HIGH PATCH This Week

It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Keycloak
NVD
CVSS 3.1
8.8
EPSS
0.5%
CVE-2019-3875 Maven MEDIUM PATCH This Month

A vulnerability was found in keycloak before 6.0.2. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Keycloak Single Sign On
NVD
CVSS 3.0
4.8
EPSS
0.3%
CVE-2019-10157 npm MEDIUM PATCH This Month

It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Node.js Information Disclosure Keycloak Single Sign On
NVD
CVSS 3.0
5.5
EPSS
0.2%
CVE-2019-3868 Maven LOW PATCH Monitor

Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Keycloak
NVD
CVSS 3.0
3.8
EPSS
1.0%
CVE-2018-14637 Maven HIGH PATCH This Week

The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Keycloak
NVD
CVSS 3.0
8.1
EPSS
0.8%
CVE-2018-14658 Maven MEDIUM This Month

A flaw was found in JBOSS Keycloak 3.2.1.Final. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Keycloak
NVD
CVSS 3.0
6.1
EPSS
1.1%
CVE-2018-14657 Maven HIGH PATCH This Week

A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Keycloak Single Sign On
NVD
CVSS 3.1
8.1
EPSS
1.2%
CVE-2018-14655 Maven MEDIUM This Month

A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Keycloak Single Sign On
NVD
CVSS 3.0
5.4
EPSS
1.2%
CVE-2018-10894 Maven MEDIUM PATCH This Month

It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Keycloak Single Sign On
NVD
CVSS 3.0
5.4
EPSS
0.4%
CVE-2018-10912 Maven MEDIUM PATCH This Month

keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Keycloak Single Sign On
NVD
CVSS 3.1
4.9
EPSS
1.3%
CVE-2014-3651 Maven HIGH PATCH This Week

JBoss KeyCloak before 1.0.3.Final allows remote attackers to cause a denial of service (resource consumption) via a large value in the size parameter to auth/qrcode, related to QR code generation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Keycloak
NVD
CVSS 3.0
7.5
EPSS
0.8%
CVE-2017-12160 Maven HIGH PATCH This Week

It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Keycloak
NVD
CVSS 3.1
7.2
EPSS
0.6%
CVE-2017-12159 Maven HIGH PATCH This Week

It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

CSRF Information Disclosure Single Sign On Keycloak
NVD
CVSS 3.0
7.5
EPSS
0.6%
CVE-2017-12158 Maven MEDIUM PATCH This Month

It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

XSS Request Smuggling Single Sign On Keycloak
NVD
CVSS 3.0
5.4
EPSS
0.7%
CVE-2014-3709 Maven HIGH POC PATCH This Week

The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Keycloak
NVD
CVSS 3.0
8.8
EPSS
0.3%
CVSS 8.1
HIGH PATCH This Week

Access-control bypass in Keycloak (fixed in 26.5.3) lets a disabled user account still obtain valid tokens through the JWT authorization grant preview feature. When that feature is enabled, Keycloak omits the account-enabled check during JWT authorization grant processing, so a low-privileged remote attacker who can present a valid assertion token from an external identity provider can mint a JWT for an account an administrator has explicitly disabled, regaining access to protected resources. No public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Keycloak Red Hat Jboss Enterprise Application Platform 8 +1
NVD GitHub VulDB
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Keycloak's SAML identity provider broker fails to enforce client disabled status during IdP-initiated SSO flows, allowing attackers with valid credentials to establish authenticated sessions and access other enabled clients without re-authentication. An authenticated remote attacker can exploit this authentication bypass to gain unauthorized access to protected resources across the Keycloak ecosystem. No patch is currently available.

Authentication Bypass Build Of Keycloak Keycloak
NVD VulDB
EPSS 0% CVSS 3.1
LOW PATCH Monitor

A flaw was found in Keycloak’s WebAuthn registration component. [CVSS 3.1 LOW]

Authentication Bypass Build Of Keycloak Keycloak
NVD GitHub
EPSS 0% CVSS 4.9
MEDIUM PATCH This Month

Build Of Keycloak contains a vulnerability that allows attackers to unauthorized changes to user profiles, even when the system is configured to res (CVSS 4.9).

Authentication Bypass Keycloak Build Of Keycloak +1
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

A vulnerability was found in Keycloak-services. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Keycloak Red Hat
NVD
EPSS 2% CVSS 7.1
HIGH PATCH This Month

A session fixation issue was discovered in the SAML adapters provided by Keycloak. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable. No vendor patch available.

Session Fixation Information Disclosure Keycloak +2
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

An open redirect vulnerability was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Build Of Keycloak Keycloak
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

A vulnerability was found in Keycloak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Keycloak Build Of Keycloak +5
NVD GitHub
EPSS 2% CVSS 8.1
HIGH PATCH This Week

A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Build Of Keycloak Jboss Middleware Text Only Advisories +8
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

A flaw was found in Keycloak. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Keycloak
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

A flaw was found in Keycloak. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Keycloak Single Sign On
NVD
EPSS 54% 4.3 CVSS 5.9
MEDIUM POC PATCH THREAT This Month

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and EPSS exploitation probability 53.6%.

Authentication Bypass Apache Node.js +68
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM POC PATCH This Month

A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Single Sign On Keycloak +3
NVD
EPSS 1% CVSS 7.7
HIGH POC PATCH This Week

An unconstrained memory consumption vulnerability was discovered in Keycloak. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Keycloak Single Sign On +3
NVD GitHub
EPSS 1% CVSS 7.1
HIGH PATCH This Week

A flaw was found in Keycloak. Rated high severity (CVSS 7.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Keycloak Openshift Container Platform +1
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Keycloak
NVD GitHub
EPSS 1% CVSS 5.0
MEDIUM PATCH This Month

A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Keycloak Single Sign On +3
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

A flaw was found in Keycloak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Build Of Quarkus Jboss A Mq +3
NVD
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

A flaw was found in Keycloak. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Keycloak
NVD
EPSS 0% CVSS 3.8
LOW PATCH Monitor

A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Keycloak
NVD
EPSS 3% CVSS 5.4
MEDIUM POC This Month

A flaw was found in Keycloak. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Keycloak Single Sign On
NVD GitHub
EPSS 1% CVSS 7.2
HIGH PATCH This Week

An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Keycloak Single Sign On
NVD
EPSS 1% CVSS 9.8
CRITICAL PATCH Act Now

A privilege escalation flaw was found in the token exchange feature of keycloak. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Privilege Escalation Authentication Bypass Microsoft +1
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC PATCH This Month

Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Authentication Bypass Red Hat Keycloak +1
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthenticationSessionEntity grows boundlessly which could lead to a DoS attack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Keycloak Single Sign On
NVD
EPSS 1% CVSS 9.6
CRITICAL PATCH Act Now

A flaw was found in keycloak in versions before 13.0.0. Rated critical severity (CVSS 9.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Keycloak
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

A flaw was found in keycloak. Rated high severity (CVSS 7.3), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Java Keycloak
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A flaw was found in keycloak. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Keycloak
NVD
EPSS 0% CVSS 6.8
MEDIUM This Month

A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Keycloak Single Sign On
NVD
EPSS 1% CVSS 4.9
MEDIUM This Month

A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Keycloak
NVD
EPSS 70% CVSS 5.3
MEDIUM POC PATCH THREAT This Month

A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

SSRF Keycloak
NVD Exploit-DB
EPSS 1% CVSS 8.1
HIGH PATCH This Week

It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Keycloak
NVD
EPSS 1% CVSS 4.8
MEDIUM PATCH This Month

A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Keycloak
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the resources endpoint applies a transformation of the url path to the. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Keycloak
NVD
EPSS 2% CVSS 4.9
MEDIUM PATCH This Month

A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Keycloak
NVD
EPSS 1% CVSS 6.1
MEDIUM PATCH This Month

A flaw was found in Keycloak's data filter, in version 10.0.1, where it allowed the processing of data URLs in some circumstances. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Keycloak Single Sign On
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Allocation of Resources Without Limits vulnerability could allow attackers to exhaust system resources through uncontrolled allocation.

Denial Of Service Keycloak Openshift Application Runtimes +1
NVD GitHub
EPSS 1% CVSS 5.4
MEDIUM This Month

A vulnerability was found in Keycloak before 9.0.2, where every Authorization URL that points to an IDP server lacks proper input validation as it allows a wide range of characters. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Keycloak
NVD
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Keycloak Openstack
NVD
EPSS 3% CVSS 8.8
HIGH PATCH This Week

A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Java RCE Keycloak +6
NVD GitHub
EPSS 1% CVSS 8.8
HIGH PATCH This Week

A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Jboss Fuse Keycloak +1
NVD
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

A flaw was found in Keycloak in versions before 9.0.2. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Keycloak Openshift Application Runtimes +1
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

A flaw was found in keycloak in versions before 9.0.0. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure Keycloak
NVD
EPSS 1% CVSS 4.7
MEDIUM PATCH This Month

A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. Rated medium severity (CVSS 4.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Keycloak
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Keycloak Quarkus
NVD
EPSS 1% CVSS 5.6
MEDIUM PATCH This Month

A flaw was found in keycloak before version 9.0.1. Rated medium severity (CVSS 5.6), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Keycloak
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Keycloak Single Sign On
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Keycloak
NVD
EPSS 1% CVSS 8.3
HIGH This Week

A vulnerability was found in Keycloak 7.x where the user federation LDAP bind type is none (LDAP anonymous bind), any password, invalid or valid will be accepted. Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Keycloak
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

A flaw was found in the Keycloak REST API before version 8.0.0 where it would permit user access from a realm the user was not configured. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable. No vendor patch available.

Authentication Bypass Keycloak
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Keycloak Single Sign On
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Keycloak
NVD
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

A vulnerability was found in keycloak before 6.0.2. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Keycloak Single Sign On
NVD
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Node.js Information Disclosure Keycloak +1
NVD
EPSS 1% CVSS 3.8
LOW PATCH Monitor

Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. Rated low severity (CVSS 3.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Keycloak
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Authentication Bypass Keycloak
NVD
EPSS 1% CVSS 6.1
MEDIUM This Month

A flaw was found in JBOSS Keycloak 3.2.1.Final. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Open Redirect Keycloak
NVD
EPSS 1% CVSS 8.1
HIGH PATCH This Week

A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Keycloak Single Sign On
NVD
EPSS 1% CVSS 5.4
MEDIUM This Month

A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Keycloak Single Sign On
NVD
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Keycloak Single Sign On
NVD
EPSS 1% CVSS 4.9
MEDIUM PATCH This Month

keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Keycloak Single Sign On
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

JBoss KeyCloak before 1.0.3.Final allows remote attackers to cause a denial of service (resource consumption) via a large value in the size parameter to auth/qrcode, related to QR code generation. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Keycloak
NVD
EPSS 1% CVSS 7.2
HIGH PATCH This Week

It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentication server, permitting indefinite usage in the case of permission. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Keycloak
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

CSRF Information Disclosure Single Sign On +1
NVD
EPSS 1% CVSS 5.4
MEDIUM PATCH This Month

It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This HTTP Request/Response Smuggling vulnerability could allow attackers to manipulate HTTP request interpretation between frontend and backend servers.

XSS Request Smuggling Single Sign On +1
NVD
EPSS 0% CVSS 8.8
HIGH POC PATCH This Week

The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to conduct cross-site request forgery (CSRF) attacks by leveraging lack. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

CSRF Keycloak
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy