CVE-2026-14781
- EPSS 0.2%
- Veröffentlicht 05.07.2026 06:55:30
- Zuletzt bearbeitet 06.07.2026 18:41:14
A flaw exists in the org.keycloak.broker.oidc package where the OIDC broker incorrectly synchronizes the email_verified claim. When an OIDC identity provider is configured with trustEmail=true and the userinfo endpoint is enabled, Keycloak retrieves ...
CVE-2026-14615
- EPSS 0.17%
- Veröffentlicht 03.07.2026 15:47:08
- Zuletzt bearbeitet 06.07.2026 18:41:14
A flaw was found in the Fine-Grained Admin Permissions (FGAP) v2 implementation within Keycloak's administrative services. When FGAP v2 is enabled, the system fails to properly filter child groups based on the caller's specific permissions when reque...
CVE-2026-14614
- EPSS 0.15%
- Veröffentlicht 03.07.2026 15:33:00
- Zuletzt bearbeitet 06.07.2026 18:41:14
A flaw was found in the ClientResource component of Keycloak's admin services when Fine-Grained Admin Permissions (FGAP) v2 is enabled. This issue allows a delegated administrator, who should only have limited control over specific clients, to attach...
CVE-2026-14613
- EPSS 0.17%
- Veröffentlicht 03.07.2026 15:16:44
- Zuletzt bearbeitet 07.07.2026 18:16:35
A vulnerability was discovered in Keycloak's administrative interface that allows certain administrators to see information about groups they shouldn't have access to. When the new Fine-Grained Admin Permissions (FGAP v2) are turned on, an administra...
CVE-2026-12388
- EPSS 0.25%
- Veröffentlicht 30.06.2026 12:00:28
- Zuletzt bearbeitet 01.07.2026 20:26:45
A flaw was found in the Identity Provider (IdP) mapper component of Keycloak, which is used to manage how user information from external services is mapped to Keycloak users. An administrator with limited permissions to manage identity providers can ...
CVE-2026-4629
- EPSS 0.25%
- Veröffentlicht 30.06.2026 12:00:28
- Zuletzt bearbeitet 01.07.2026 20:25:39
A flaw was found in Keycloak. A highly privileged user with `manage-clients` permission can exploit this vulnerability by injecting a hardcoded role mapper into any client. This action allows the user to bypass existing scope restrictions and inject ...
CVE-2026-14209
- EPSS 0.18%
- Veröffentlicht 30.06.2026 11:48:26
- Zuletzt bearbeitet 01.07.2026 20:26:25
A vulnerability was discovered in Keycloak's Admin UI extension that allows certain administrative users to bypass security restrictions. When Fine-Grained Admin Permissions (FGAPv2) are enabled, an administrator who should only be able to search for...
CVE-2026-11800
- EPSS 0.18%
- Veröffentlicht 25.06.2026 20:57:05
- Zuletzt bearbeitet 01.07.2026 18:35:29
A flaw was found in Keycloak. This JWT algorithm confusion vulnerability in the JWT Authorization Grant flow allows an attacker with valid client credentials to bypass signature verification. By forging an assertion, the attacker can create unauthori...
CVE-2026-9083
- EPSS 0.52%
- Veröffentlicht 25.06.2026 16:17:49
- Zuletzt bearbeitet 01.07.2026 17:22:17
A flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator t...
CVE-2026-9799
- EPSS 0.17%
- Veröffentlicht 25.06.2026 16:17:48
- Zuletzt bearbeitet 01.07.2026 18:37:39
A flaw was found in org.keycloak.authorization. An authenticated user with a granted User-Managed Access (UMA) permission ticket for one resource can exploit this by using a specific permission request prefix to bypass per-resource access control. Th...