Redhat

Build Of Keycloak

66 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 0.37%
  • Veröffentlicht 19.05.2026 10:28:24
  • Zuletzt bearbeitet 03.06.2026 19:53:45

A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally identi...

  • EPSS 0.3%
  • Veröffentlicht 19.05.2026 10:28:15
  • Zuletzt bearbeitet 03.06.2026 19:53:36

A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier (UUID) belongin...

  • EPSS 0.28%
  • Veröffentlicht 19.05.2026 06:27:35
  • Zuletzt bearbeitet 26.06.2026 08:16:25

A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should...

  • EPSS 0.39%
  • Veröffentlicht 19.05.2026 06:04:13
  • Zuletzt bearbeitet 26.06.2026 08:16:25

A flaw was found in Keycloak. An authenticated user can bypass configured WebAuthn policies during credential registration by manipulating client-side JavaScript. This occurs because the server-side processAction() fails to validate that the newly cr...

  • EPSS 0.23%
  • Veröffentlicht 30.04.2026 14:53:09
  • Zuletzt bearbeitet 26.06.2026 08:16:25

When Keycloak is started with `--features-disabled=account,account-api`, the Account REST API is only partially disabled. Five endpoints under the versioned path `/account/v1alpha1` remain fully functional — including both read and write operations —...

  • EPSS 0.23%
  • Veröffentlicht 14.04.2026 14:54:42
  • Zuletzt bearbeitet 02.06.2026 17:37:01

A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with `manage-realm` or `manage-organizations` administrative privileges can exploit a Stored Cross-Site Scripting (XSS) vulnerability. This flaw oc...

  • EPSS 0.25%
  • Veröffentlicht 06.04.2026 08:38:36
  • Zuletzt bearbeitet 26.06.2026 08:16:22

A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing (CORS) header injection vulnerability in Keycloak's User-Managed Access (UMA) token endpoint. This flaw occurs because the `azp` claim from a client-supplied ...

Exploit
  • EPSS 0.35%
  • Veröffentlicht 02.04.2026 12:45:01
  • Zuletzt bearbeitet 30.06.2026 03:20:35

A flaw was found in Keycloak. An authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation. This allows the attacker to include resource identifiers owned by other users in a policy creation request, even ...

  • EPSS 0.52%
  • Veröffentlicht 02.04.2026 12:44:53
  • Zuletzt bearbeitet 30.06.2026 03:20:35

A flaw was found in Keycloak. An unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with an excessively long scope parameter to the OpenID Connect (OIDC) token endpoint. This leads to high resource con...

  • EPSS 0.25%
  • Veröffentlicht 02.04.2026 12:44:52
  • Zuletzt bearbeitet 16.04.2026 20:51:22

A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an attacker to delete arbitrary single-use entries, which can enable the replay of consumed acti...