CVE-2026-37981
- EPSS 0.37%
- Veröffentlicht 19.05.2026 10:28:24
- Zuletzt bearbeitet 03.06.2026 19:53:45
A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally identi...
CVE-2026-4630
- EPSS 0.3%
- Veröffentlicht 19.05.2026 10:28:15
- Zuletzt bearbeitet 03.06.2026 19:53:36
A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier (UUID) belongin...
CVE-2026-8922
- EPSS 0.28%
- Veröffentlicht 19.05.2026 06:27:35
- Zuletzt bearbeitet 26.06.2026 08:16:25
A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should...
CVE-2026-8830
- EPSS 0.39%
- Veröffentlicht 19.05.2026 06:04:13
- Zuletzt bearbeitet 26.06.2026 08:16:25
A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that the newly cr...
CVE-2026-7500
- EPSS 0.23%
- Veröffentlicht 30.04.2026 14:53:09
- Zuletzt bearbeitet 26.06.2026 08:16:25
When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations —...
CVE-2026-37980
- EPSS 0.23%
- Veröffentlicht 14.04.2026 14:54:42
- Zuletzt bearbeitet 02.06.2026 17:37:01
A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with `manage-realm` or `manage-organizations` administrative privileges can exploit a Stored Cross-Site Scripting (XSS) vulnerability. This flaw oc...
CVE-2026-37977
- EPSS 0.25%
- Veröffentlicht 06.04.2026 08:38:36
- Zuletzt bearbeitet 26.06.2026 08:16:22
A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in Keycloak's User-Managed Access (UMA) token endpoint. This flaw occurs because the `azp` claim from a client-supplied ...
CVE-2026-4636
- EPSS 0.35%
- Veröffentlicht 02.04.2026 12:45:01
- Zuletzt bearbeitet 30.06.2026 03:20:35
A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even ...
CVE-2026-4634
- EPSS 0.52%
- Veröffentlicht 02.04.2026 12:44:53
- Zuletzt bearbeitet 30.06.2026 03:20:35
A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high resource con...
CVE-2026-4325
- EPSS 0.25%
- Veröffentlicht 02.04.2026 12:44:52
- Zuletzt bearbeitet 16.04.2026 20:51:22
A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed acti...