Search Blog Stats Labs

Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits

About

About Exploit Intel About Exploit Forge Privacy Policy

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Color Theme

Search Blog Statistics Labs Tools EIP CLI Search Tool EIP MCP Server EIP REST API API Rate Limits About About Exploit Forge Privacy

Exploit Database Researchers CWE Categories Vendors Ecosystems

RSS Feeds

Blog Posts Recent CVEs CVEs with Exploits CISA KEV

Follow:

Theme:

Home / Vendors / org.keycloak

org.keycloak

174 tracked vulnerabilities.

CVE-2026-1518 LOW

Keycloak - Server-Side Request Forgery via CIBA Backchannel Notification Endpoint

CVE-2026-1190 LOW

Keycloak - SAML Response Expiration Bypass via Missing NotOnOrAfter Validation

CVE-2026-1035 LOW

Keycloak - Refresh Token Reuse Bypass via Non-Atomic Validation in TokenManager

CVE-2026-1180 MEDIUM

Keycloak - Server-Side Request Forgery via OpenID Connect Dynamic Client Registration

CVE-2026-0976 LOW

Keycloak - Path Filter Bypass via RFC-Compliant Matrix Parameters

CVE-2026-0707 MEDIUM

Keycloak - Authorization Bypass via Non-Standard Bearer Token Parsing

CVE-2025-12150 LOW

Keycloak < 26.4.4 - Improper Verification of Cryptographic Signature via WebAuthn Attestation Bypass

CVE-2025-11537 MEDIUM

Keycloak Quarkus Server < 26.6.0 - Sensitive Header Exposure in Verbose Log Format

CVE-2025-14778 MEDIUM

Keycloak < 26.2.13 - Incorrect Privilege Assignment in UserManagedPermissionService

CVE-2025-13881 LOW

Keycloak Services 26.5.0-26.5.1 - Unauthorized Sensitive Attribute Disclosure via UnmanagedAttributes Endpoint

CVE-2025-14083 LOW

Keycloak - Improper Access Control in Admin REST API

CVE-2025-14559 MEDIUM

Keycloak Services 26.5.0-26.5.1 - Unauthorized Token Issuance via Token Exchange Flow

CVE-2025-11419 HIGH

Keycloak < 26.0.16 - Unauthenticated Denial of Service via TLS 1.2 Client-Initiated Renegotiation

CVE-2025-14082 LOW

Keycloak < 26.5.0 - Unauthenticated Sensitive Role Metadata Exposure via Admin REST API

CVE-2025-13467 MEDIUM

Keycloak LDAP Federation < 26.4.6 - Authenticated Deserialization of Untrusted Data via LDAP Server Configuration

CVE-2025-11538 MEDIUM

Keycloak < 26.4.4 - Remote Code Execution via Debug Mode JDWP Port Binding

CVE-2025-12390 MEDIUM

Keycloak < 26.0.0 - Session Fixation via Incomplete Session Cleanup

CVE-2025-10939 LOW

Keycloak < 26.4.4 - Unauthenticated Admin Path Access via Proxy Path Normalization Bypass

CVE-2025-12110 MEDIUM

Keycloak < 26.4.3 - Insufficient Session Expiration via Offline Access Scope Removal

CVE-2025-11429 MEDIUM

Keycloak < 26.4.1 - Insufficient Session Expiration via Remember Me Setting

CVE-2025-10044 MEDIUM

Keycloak < 26.2.9 - Phishing via Unsanitized Error Description Parameter

CVE-2025-9162 MEDIUM

KeycloakRealmImport - Code Injection

CVE-2025-8419 MEDIUM

Keycloak < 26.2.8 - SMTP Injection via Email Registration

CVE-2025-7784 MEDIUM

Red Hat build of Keycloak - Privilege Escalation via Fine-Grained Admin Permissions

CVE-2025-7365 HIGH

Keycloak - Authenticated Account Takeover via Identity Provider Login Email Verification

Previous Page 2 of 7 Next

Products

keycloak-services 74 keycloak-core 48 keycloak-parent 25 keycloak-quarkus-server 9 keycloak-server-spi-private 5 keycloak-ldap-federation 4 keycloak-saml-core 4 keycloak-model-jpa 3 keycloak-saml-adapter-core 3 keycloak-model-infinispan 2 keycloak-quarkus-dist 2 keycloak-account-ui 1 keycloak-adapter-core 1 keycloak-admin-ui 1 keycloak-authz-client 1 keycloak-broker-saml 1 keycloak-common 1 keycloak-js-admin-client 1 keycloak-model-storage-services 1 keycloak-oidc-client-adapter-pom 1

Quick Filters

Critical CVEs With Exploits In CISA KEV

Exploit Intelligence Platform

Blog Stats Labs Exploits Researchers CWE Ecosystems CLI MCP API Limits About Privacy