Redhat

Build Of Keycloak

66 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 0.47%
  • Veröffentlicht 05.03.2026 18:28:36
  • Zuletzt bearbeitet 30.06.2026 03:19:10

A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single...

  • EPSS 0.33%
  • Veröffentlicht 05.03.2026 18:27:43
  • Zuletzt bearbeitet 30.06.2026 03:19:09

A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a prev...

  • EPSS 0.2%
  • Veröffentlicht 27.02.2026 08:10:15
  • Zuletzt bearbeitet 05.03.2026 02:19:42

A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none"...

  • EPSS 0.31%
  • Veröffentlicht 27.02.2026 07:30:26
  • Zuletzt bearbeitet 05.03.2026 02:03:32

A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthori...

  • EPSS 0.37%
  • Veröffentlicht 18.07.2025 13:48:45
  • Zuletzt bearbeitet 06.05.2026 17:16:19

A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions(FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege e...

  • EPSS 0.37%
  • Veröffentlicht 29.04.2025 20:46:39
  • Zuletzt bearbeitet 18.08.2025 15:55:00

A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication.

  • EPSS 0.65%
  • Veröffentlicht 22.10.2024 14:15:14
  • Zuletzt bearbeitet 23.07.2025 19:15:31

A vulnerability was found in Wildfly, where a user may perform Cross-site scripting in the Wildfly deployment system. This flaw allows an attacker or insider to execute a deployment with a malicious payload, which could trigger undesired behavior aga...

  • EPSS 2.84%
  • Veröffentlicht 09.10.2024 19:15:13
  • Zuletzt bearbeitet 15.04.2026 00:35:42

A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breach...

  • EPSS 1.96%
  • Veröffentlicht 19.09.2024 16:15:06
  • Zuletzt bearbeitet 26.11.2024 19:15:32

A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes...

  • EPSS 0.8%
  • Veröffentlicht 09.09.2024 19:15:14
  • Zuletzt bearbeitet 27.03.2026 00:16:19

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who ...