CVE-2026-14781
- EPSS 0.2%
- Veröffentlicht 05.07.2026 06:55:30
- Zuletzt bearbeitet 06.07.2026 18:41:14
A flaw exists in the org.keycloak.broker.oidc package where the OIDC broker incorrectly synchronizes the email_verified claim. When an OIDC identity provider is configured with trustEmail=true and the userinfo endpoint is enabled, Keycloak retrieves ...
CVE-2026-14614
- EPSS 0.15%
- Veröffentlicht 03.07.2026 15:33:00
- Zuletzt bearbeitet 06.07.2026 18:41:14
A flaw was found in the ClientResource component of Keycloak's admin services when Fine-Grained Admin Permissions (FGAP) v2 is enabled. This issue allows a delegated administrator, who should only have limited control over specific clients, to attach...
CVE-2026-11800
- EPSS 0.18%
- Veröffentlicht 25.06.2026 20:57:05
- Zuletzt bearbeitet 01.07.2026 18:35:29
A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthori...
CVE-2026-28369
- EPSS 0.68%
- Veröffentlicht 27.03.2026 16:13:05
- Zuletzt bearbeitet 10.06.2026 22:16:56
A flaw was found in Undertow. When Undertow receives an HTTP request where the first header line starts with one or more spaces, it incorrectly processes the request by stripping these leading spaces. This behavior, which violates HTTP standards, can...
CVE-2026-28367
- EPSS 0.71%
- Veröffentlicht 27.03.2026 16:13:05
- Zuletzt bearbeitet 29.06.2026 10:16:30
A flaw was found in Undertow. A remote attacker can exploit this vulnerability by sending `\r\r\r` as a header block terminator. This can be used for request smuggling with certain proxy servers, such as older versions of Apache Traffic Server and Go...
CVE-2026-28368
- EPSS 0.7%
- Veröffentlicht 27.03.2026 16:13:03
- Zuletzt bearbeitet 29.06.2026 10:16:31
A flaw was found in Undertow. This vulnerability allows a remote attacker to construct specially crafted requests where header names are parsed differently by Undertow compared to upstream proxies. This discrepancy in header interpretation can be exp...
CVE-2026-3260
- EPSS 0.44%
- Veröffentlicht 24.03.2026 04:11:16
- Zuletzt bearbeitet 07.07.2026 21:16:56
Rejected reason: The Undertow web server enforces a default maximum HTTP request entity size limit. Any request (including GET or HEAD) containing a body that exceeds this configurable limit is safely dropped by the server, preventing single-request ...
CVE-2026-0603
- EPSS 0.78%
- Veröffentlicht 23.01.2026 06:31:38
- Zuletzt bearbeitet 30.06.2026 03:17:02
A flaw was found in Hibernate. A remote attacker with low privileges could exploit a second-order SQL injection vulnerability by providing specially crafted, unsanitized non-alphanumeric characters in the ID column when the InlineIdsOrClauseBuilder i...
CVE-2025-12543
- EPSS 1.18%
- Veröffentlicht 07.01.2026 16:04:22
- Zuletzt bearbeitet 30.06.2026 05:17:10
A flaw was found in the Undertow HTTP server core, which is used in WildFly, JBoss EAP, and other Java applications. The Undertow library fails to properly validate the Host header in incoming HTTP requests.As a result, requests containing malformed ...
CVE-2025-9784
- EPSS 2.17%
- Veröffentlicht 02.09.2025 13:37:59
- Zuletzt bearbeitet 30.06.2026 03:17:01
A flaw was found in Undertow where malformed client requests can trigger server-side stream resets without triggering abuse counters. This issue, referred to as the "MadeYouReset" attack, allows malicious clients to induce excessive server workload b...