org.keycloak

174 tracked vulnerabilities.

CVE-2025-3910 MEDIUM
Red Hat build of Keycloak 26.0-26.0.10 and Keycloak Services < 26.2.2 - Authentication Bypass
Apr 29, 2025
CVSS 5.4
EPSS 0.00
CVE-2025-3501 HIGH
Keycloak < 26.2.2 - Certificate Validation Bypass via Trust Store Policy
Apr 29, 2025
CVSS 8.2
EPSS 0.00
CVE-2025-2559 MEDIUM
Keycloak - Denial of Service via JWT Token Cache Exhaustion
Mar 25, 2025
CVSS 4.9
EPSS 0.00
CVE-2025-1391 MEDIUM
Keycloak Services 26.1.0-26.1.2 - Improper Access Control via Organization Domain Pattern Matching
Feb 17, 2025
CVSS 5.4
EPSS 0.00
CVE-2025-0604 MEDIUM
Keycloak LDAP Federation >=26.1.0 <26.1.3 - Authentication Bypass via Password Reset
Jan 22, 2025
CVSS 5.4
EPSS 0.00
CVE-2024-4028 LOW
Keycloak - Stored Cross-Site Scripting via Admin Console Permission Payload
Feb 18, 2025
CVSS 3.8
EPSS 0.00
CVE-2024-11736 MEDIUM
Keycloak < 26.0.8 - Authenticated Sensitive Information Exposure via URL Placeholder Injection
Jan 14, 2025
CVSS 4.9
EPSS 0.00
CVE-2024-11734 MEDIUM
Keycloak < 26.0.8 - Authenticated Denial of Service via Security Header Newline Injection
Jan 14, 2025
CVSS 6.5
EPSS 0.00
CVE-2024-10973 MEDIUM
Keycloak Quarkus Server 25.0.0-25.99.9 - Cleartext Transmission of Sensitive Information via JGroups Replication
Dec 17, 2024
CVSS 5.7
EPSS 0.00
CVE-2024-9666 MEDIUM
Keycloak - Denial of Service via Proxy Header Handling
Nov 25, 2024
CVSS 4.7
EPSS 0.00
CVE-2024-10492 LOW
Keycloak < 26.0.6 - Authenticated Sensitive Information Disclosure via Vault File Access
Nov 25, 2024
CVSS 2.7
EPSS 0.00
CVE-2024-10451 MEDIUM
Keycloak < 24.0.9 and 26.0 < 26.0.6 - Use of Hard-coded Credentials via Build Process
Nov 25, 2024
CVSS 5.9
EPSS 0.00
CVE-2024-10270 MEDIUM
Keycloak-services < 24.0.9 - Denial of Service via Regex Complexity in SearchQueryUtils
Nov 25, 2024
CVSS 6.5
EPSS 0.00
CVE-2024-3656 HIGH NUCLEI
Keycloak < 24.0.5 - Authenticated Privilege Escalation via Admin REST API Endpoints
Oct 09, 2024
CVSS 8.1
EPSS 0.90
CVE-2024-8883 MEDIUM NUCLEI
Red Hat Build of Keycloak - Open Redirect via Misconfigured Valid Redirect URI
Sep 19, 2024
CVSS 6.1
EPSS 0.07
CVE-2024-8698 HIGH NUCLEI
Keycloak SAML Core < 22.0.13 - Improper Verification of Cryptographic Signature in XMLSignatureUtil
Sep 19, 2024
CVSS 7.7
EPSS 0.82
CVE-2024-7341 HIGH
Keycloak - Session Fixation via SAML Adapter
Sep 09, 2024
CVSS 7.1
EPSS 0.02
CVE-2024-7318 MEDIUM
Red Hat build of Keycloak 22.0-24.0.6 - Use of Expired OTP Codes via FreeOTP Token Period
Sep 09, 2024
CVSS 4.8
EPSS 0.01
CVE-2024-7260 MEDIUM
Keycloak < 24.0.7 - Open Redirect via Referrer URI Parameter
Sep 09, 2024
CVSS 6.1
EPSS 0.00
CVE-2024-4629 MEDIUM
Keycloak < 24.0.3 - Brute Force Protection Bypass via Timing Attack
Sep 03, 2024
CVSS 6.5
EPSS 0.00
CVE-2024-5967 LOW
Keycloak LDAP Federation >=25.0.0 <25.0.1 - Authenticated Credential Leak via LDAP Connection URL Change
Jun 18, 2024
CVSS 2.7
EPSS 0.00
CVE-2024-4540 HIGH
Keycloak < 24.0.5 - Cleartext Storage of Sensitive Information in OAuth 2.0 PAR KC_RESTART Cookie
Jun 03, 2024
CVSS 7.5
EPSS 0.00
CVE-2024-2419 HIGH
Keycloak < 22.0.10 - Open Redirect via redirect_uri Validation Bypass
Apr 17, 2024
CVSS 7.1
EPSS 0.00
CVE-2024-1249 HIGH
Keycloak < 22.0.10 - Unauthenticated Denial of Service via OIDC checkLoginIframe Origin Validation Error
Apr 17, 2024
CVSS 7.4
EPSS 0.00
CVE-2024-1132 HIGH
Keycloak >=21.1.0 <22.0.10 - Open Redirect via Wildcard Valid Redirect URIs
Apr 17, 2024
CVSS 8.1
EPSS 0.00
Products
keycloak-services 74 keycloak-core 48 keycloak-parent 25 keycloak-quarkus-server 9 keycloak-server-spi-private 5 keycloak-ldap-federation 4 keycloak-saml-core 4 keycloak-model-jpa 3 keycloak-saml-adapter-core 3 keycloak-model-infinispan 2 keycloak-quarkus-dist 2 keycloak-account-ui 1 keycloak-adapter-core 1 keycloak-admin-ui 1 keycloak-authz-client 1 keycloak-broker-saml 1 keycloak-common 1 keycloak-js-admin-client 1 keycloak-model-storage-services 1 keycloak-oidc-client-adapter-pom 1
Quick Filters
Critical CVEs With Exploits In CISA KEV