Redhat

Build Of Keycloak

66 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 0.42%
  • Veröffentlicht 28.05.2026 04:47:10
  • Zuletzt bearbeitet 26.06.2026 08:16:35

A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authorization: Bearer' header to any client registration e...

  • EPSS 0.31%
  • Veröffentlicht 28.05.2026 04:47:10
  • Zuletzt bearbeitet 26.06.2026 08:16:35

A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, ...

  • EPSS 0.48%
  • Veröffentlicht 28.05.2026 04:42:10
  • Zuletzt bearbeitet 26.06.2026 08:16:34

A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vu...

  • EPSS 0.21%
  • Veröffentlicht 28.05.2026 04:37:09
  • Zuletzt bearbeitet 03.06.2026 19:38:30

A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchan...

  • EPSS 0.19%
  • Veröffentlicht 28.05.2026 04:27:08
  • Zuletzt bearbeitet 03.06.2026 19:38:23

A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges t...

  • EPSS 0.29%
  • Veröffentlicht 28.05.2026 03:49:10
  • Zuletzt bearbeitet 30.06.2026 03:21:47

A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scop...

  • EPSS 0.33%
  • Veröffentlicht 28.05.2026 03:44:20
  • Zuletzt bearbeitet 26.06.2026 08:16:27

A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs....

  • EPSS 0.27%
  • Veröffentlicht 28.05.2026 03:44:18
  • Zuletzt bearbeitet 26.06.2026 08:16:27

A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, ...

  • EPSS 0.12%
  • Veröffentlicht 28.05.2026 03:44:17
  • Zuletzt bearbeitet 03.06.2026 18:26:57

A flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This allows a remo...

  • EPSS 0.21%
  • Veröffentlicht 28.05.2026 03:27:08
  • Zuletzt bearbeitet 26.06.2026 08:16:26

A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This...