Redhat

Build Of Keycloak

66 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 0.42%
  • Veröffentlicht 02.04.2026 12:44:52
  • Zuletzt bearbeitet 30.06.2026 03:20:31

A flaw was found in Keycloak. The SingleUseObjectProvider, a global key-value store, lacks proper type and namespace isolation. This vulnerability allows an unauthenticated attacker to forge authorization codes. Successful exploitation can lead to th...

  • EPSS 0.44%
  • Veröffentlicht 02.04.2026 12:37:30
  • Zuletzt bearbeitet 30.06.2026 03:19:14

A flaw was found in Keycloak. This issue allows an attacker, who controls another path on the same web server, to bypass the allowed path in redirect Uniform Resource Identifiers (URIs) that use a wildcard. A successful attack may lead to the theft o...

  • EPSS 0.47%
  • Veröffentlicht 26.03.2026 19:13:26
  • Zuletzt bearbeitet 02.04.2026 14:16:31

A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over rol...

  • EPSS 0.32%
  • Veröffentlicht 26.03.2026 19:12:38
  • Zuletzt bearbeitet 02.04.2026 14:16:31

A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even...

  • EPSS 0.3%
  • Veröffentlicht 26.03.2026 07:12:37
  • Zuletzt bearbeitet 26.06.2026 08:16:23

A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `bac...

Exploit
  • EPSS 0.32%
  • Veröffentlicht 23.03.2026 10:53:35
  • Zuletzt bearbeitet 01.04.2026 14:26:47

A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to informa...

  • EPSS 0.2%
  • Veröffentlicht 23.03.2026 08:09:22
  • Zuletzt bearbeitet 01.04.2026 14:29:05

A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs du...

  • EPSS 0.23%
  • Veröffentlicht 18.03.2026 04:02:59
  • Zuletzt bearbeitet 09.06.2026 17:17:49

A flaw was identified in Keycloak, an identity and access management solution, where it improperly follows HTTP redirects when processing certain client configuration requests. This behavior allows an attacker to trick the server into making unintend...

  • EPSS 0.5%
  • Veröffentlicht 18.03.2026 03:19:09
  • Zuletzt bearbeitet 03.06.2026 19:36:23

A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEF...

  • EPSS 0.33%
  • Veröffentlicht 11.03.2026 05:36:43
  • Zuletzt bearbeitet 07.05.2026 18:30:50

A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were c...