Redhat

Build Of Keycloak

66 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 0.32%
  • Veröffentlicht 27.05.2026 12:56:00
  • Zuletzt bearbeitet 26.06.2026 08:16:26

A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently drop...

  • EPSS 0.21%
  • Veröffentlicht 27.05.2026 10:35:03
  • Zuletzt bearbeitet 03.06.2026 15:42:35

A flaw was found in Keycloak, an open-source identity and access management solution. When a client application is configured to accept broad redirect Uniform Resource Identifiers (URIs), a remote attacker can manipulate the authentication process by...

  • EPSS 0.31%
  • Veröffentlicht 20.05.2026 16:13:03
  • Zuletzt bearbeitet 26.06.2026 08:16:26

A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get lin...

  • EPSS 0.34%
  • Veröffentlicht 19.05.2026 11:01:26
  • Zuletzt bearbeitet 03.06.2026 19:41:25

A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session r...

  • EPSS 0.42%
  • Veröffentlicht 19.05.2026 11:01:25
  • Zuletzt bearbeitet 30.06.2026 03:21:21

A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leverag...

  • EPSS 0.5%
  • Veröffentlicht 19.05.2026 11:01:19
  • Zuletzt bearbeitet 30.06.2026 03:21:21

A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information ...

  • EPSS 0.44%
  • Veröffentlicht 19.05.2026 10:52:32
  • Zuletzt bearbeitet 03.06.2026 19:53:41

A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can...

  • EPSS 0.37%
  • Veröffentlicht 19.05.2026 10:52:30
  • Zuletzt bearbeitet 03.06.2026 19:50:44

A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can re...

  • EPSS 0.4%
  • Veröffentlicht 19.05.2026 10:52:29
  • Zuletzt bearbeitet 03.06.2026 20:04:25

A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role per...

  • EPSS 0.74%
  • Veröffentlicht 19.05.2026 10:52:24
  • Zuletzt bearbeitet 30.06.2026 03:21:19

A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to ...