org.keycloak
198 tracked vulnerabilities.
CVE-2026-9803
MEDIUM
Keycloak: keycloak: denial of service via malformed authorization header
May 28, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-9802
MEDIUM
Keycloak: keycloak: unauthorized account access via replayed refresh tokens after cluster restart
May 28, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-9801
MEDIUM
Keycloak: keycloak: denial of service via malformed ldap password policy response
May 28, 2026
CVSS 4.9
EPSS 0.00
CVE-2026-9798
MEDIUM
Keycloak: keycloak: brute-force protection bypass in ciba flow
May 28, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-9796
MEDIUM
Keycloak: keycloak: privilege escalation via time-of-check to time-of-use (toctou) vulnerability
May 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-9795
HIGH
Keycloak: keycloak: privilege escalation via improper scope mapping enforcement
May 28, 2026
CVSS 7.3
EPSS 0.00
CVE-2026-9794
MEDIUM
Keycloak: keycloak: information disclosure via saml ecp endpoint
May 28, 2026
CVSS 5.3
EPSS 0.00
CVE-2026-9793
MEDIUM
Keycloak: keycloak: security policy bypass in jwe-encrypted request object processing
May 28, 2026
CVSS 5.9
EPSS 0.00
CVE-2026-9792
MEDIUM
Keycloak: keycloak: security restriction bypass allows unauthorized ropc token acquisition
May 28, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-9791
MEDIUM
Keycloak-rhel9: organization data leak after feature disabled in keycloak
May 28, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-9704
MEDIUM
Keycloak: keycloak: privilege escalation due to oversized subject_token jwt
May 27, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-9689
MEDIUM
Keycloak: org.keycloak.protocol.oidc: http parameter pollution in oidc redirect uri allows response parameter duplication - #ghi-604
May 27, 2026
CVSS 4.2
EPSS 0.00
CVE-2026-9087
MEDIUM
Keycloak: cross-session email verification proof not bound to upstream identity in first-broker-login
May 20, 2026
CVSS 6.4
EPSS 0.00
CVE-2026-7571
HIGH
Keycloak: keycloak: access token disclosure and implicit flow bypass via forged client data
May 19, 2026
CVSS 7.1
EPSS 0.00
CVE-2026-7507
HIGH
Org.keycloak/keycloak-services: session fixation in oidc login flow that can lead to account takeover
May 19, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-7504
HIGH
Org.keycloak/keycloak-services: open redirect when using wildcard valid redirect uris in keycloak
May 19, 2026
CVSS 8.1
EPSS 0.01
CVE-2026-7307
HIGH
Keycloak: keycloak: denial of service via specially crafted saml input
May 19, 2026
CVSS 7.5
EPSS 0.01
CVE-2026-4630
MEDIUM
Keycloak: keycloak: unauthorized resource access and data modification via insecure direct object reference
May 19, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-37982
MEDIUM
Keycloak: org.keycloak.authentication: keycloak: unauthorized account takeover via webauthn token replay
May 19, 2026
CVSS 6.8
EPSS 0.00
CVE-2026-37981
MEDIUM
Keycloak: org.keycloak.authorization: keycloak: information disclosure via broken access control in user lookup endpoint
May 19, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-37979
MEDIUM
Keycloak: keycloak: information disclosure via oidc token introspection endpoint audience bypass
May 19, 2026
CVSS 6.5
EPSS 0.00
CVE-2026-37978
MEDIUM
Keycloak: org.keycloak.services: keycloak: information disclosure via evaluate-scopes admin api
May 19, 2026
CVSS 4.9
EPSS 0.00
CVE-2026-8922
MEDIUM
Org.keycloak/keycloak-services: keycloak: org.keycloak.protocol.oidc: security flaw in org.keycloak/keycloak-services
May 19, 2026
CVSS 5.4
EPSS 0.00
CVE-2026-8830
MEDIUM
Keycloak: org.keycloak/keycloak-services: keycloak: policy bypass during webauthn credential registration via client-side javascript manipulation
May 19, 2026
CVSS 4.3
EPSS 0.00
CVE-2026-7500
MEDIUM
Org.keycloak.keycloak-services: improper access control on keycloak server when the account account api feature is disabled
Apr 30, 2026
CVSS 5.4
EPSS 0.00
Products
keycloak-services 95
keycloak-core 48
keycloak-parent 25
keycloak-quarkus-server 9
keycloak-server-spi-private 7
keycloak-ldap-federation 5
keycloak-saml-core 5
keycloak-model-jpa 3
keycloak-saml-adapter-core 3
keycloak-model-infinispan 2
keycloak-quarkus-dist 2
keycloak-account-ui 1
keycloak-adapter-core 1
keycloak-admin-ui 1
keycloak-authz-client 1
keycloak-broker-saml 1
keycloak-common 1
keycloak-js-admin-client 1
keycloak-model-storage-services 1
keycloak-oidc-client-adapter-pom 1
keycloak-server 1
Quick Filters