CVE-2026-9803
- EPSS 0.42%
- Veröffentlicht 28.05.2026 04:47:10
- Zuletzt bearbeitet 26.06.2026 08:16:35
A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authorization: Bearer' header to any client registration e...
CVE-2026-9802
- EPSS 0.31%
- Veröffentlicht 28.05.2026 04:47:10
- Zuletzt bearbeitet 26.06.2026 08:16:35
A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, ...
CVE-2026-9801
- EPSS 0.48%
- Veröffentlicht 28.05.2026 04:42:10
- Zuletzt bearbeitet 26.06.2026 08:16:34
A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vu...
CVE-2026-9798
- EPSS 0.21%
- Veröffentlicht 28.05.2026 04:37:09
- Zuletzt bearbeitet 03.06.2026 19:38:30
A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchan...
CVE-2026-9796
- EPSS 0.19%
- Veröffentlicht 28.05.2026 04:27:08
- Zuletzt bearbeitet 03.06.2026 19:38:23
A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges t...
CVE-2026-9795
- EPSS 0.29%
- Veröffentlicht 28.05.2026 03:49:10
- Zuletzt bearbeitet 30.06.2026 03:21:47
A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scop...
CVE-2026-9794
- EPSS 0.33%
- Veröffentlicht 28.05.2026 03:44:20
- Zuletzt bearbeitet 26.06.2026 08:16:27
A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs....
CVE-2026-9792
- EPSS 0.27%
- Veröffentlicht 28.05.2026 03:44:18
- Zuletzt bearbeitet 26.06.2026 08:16:27
A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, ...
CVE-2026-9793
- EPSS 0.12%
- Veröffentlicht 28.05.2026 03:44:17
- Zuletzt bearbeitet 03.06.2026 18:26:57
A flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This allows a remo...
CVE-2026-9791
- EPSS 0.21%
- Veröffentlicht 28.05.2026 03:27:08
- Zuletzt bearbeitet 26.06.2026 08:16:26
A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This...