CVE-2026-4629
- EPSS 0.25%
- Veröffentlicht 30.06.2026 12:00:28
- Zuletzt bearbeitet 01.07.2026 20:25:39
A flaw was found in Keycloak. A highly privileged user with `manage-clients` permission can exploit this vulnerability by injecting a hardcoded role mapper into any client. This action allows the user to bypass existing scope restrictions and inject ...
CVE-2026-12388
- EPSS 0.25%
- Veröffentlicht 30.06.2026 12:00:28
- Zuletzt bearbeitet 01.07.2026 20:26:45
A flaw was found in the Identity Provider (IdP) mapper component of Keycloak, which is used to manage how user information from external services is mapped to Keycloak users. An administrator with limited permissions to manage identity providers can ...
CVE-2026-14209
- EPSS 0.18%
- Veröffentlicht 30.06.2026 11:48:26
- Zuletzt bearbeitet 01.07.2026 20:26:25
A vulnerability was discovered in Keycloak's Admin UI extension that allows certain administrative users to bypass security restrictions. When Fine-Grained Admin Permissions (FGAPv2) are enabled, an administrator who should only be able to search for...
CVE-2026-11800
- EPSS 0.18%
- Veröffentlicht 25.06.2026 20:57:05
- Zuletzt bearbeitet 01.07.2026 18:35:29
A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthori...
CVE-2026-9083
- EPSS 0.52%
- Veröffentlicht 25.06.2026 16:17:49
- Zuletzt bearbeitet 01.07.2026 17:22:17
A flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator t...
CVE-2026-9799
- EPSS 0.17%
- Veröffentlicht 25.06.2026 16:17:48
- Zuletzt bearbeitet 01.07.2026 18:37:39
A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. Th...
CVE-2026-9705
- EPSS 0.27%
- Veröffentlicht 25.06.2026 16:17:46
- Zuletzt bearbeitet 01.07.2026 18:38:08
A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This ...
CVE-2026-9086
- EPSS 0.42%
- Veröffentlicht 25.06.2026 16:16:46
- Zuletzt bearbeitet 01.07.2026 17:23:37
A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is a...
CVE-2026-9099
- EPSS 0.29%
- Veröffentlicht 25.06.2026 16:16:43
- Zuletzt bearbeitet 01.07.2026 17:23:10
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin...
CVE-2026-9800
- EPSS 0.3%
- Veröffentlicht 25.06.2026 16:16:27
- Zuletzt bearbeitet 02.07.2026 12:17:46
A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied pag...