Redhat

Keycloak

226 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 0.71%
  • Veröffentlicht 25.04.2024 16:15:10
  • Zuletzt bearbeitet 15.04.2026 00:35:42

A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow...

  • EPSS 0.74%
  • Veröffentlicht 25.04.2024 16:15:10
  • Zuletzt bearbeitet 30.06.2025 13:49:15

A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This flaw allows hijacking an active Keycloak session by triggering a new authentication process with the query parameter "p...

  • EPSS 1.01%
  • Veröffentlicht 25.04.2024 16:15:09
  • Zuletzt bearbeitet 26.06.2026 08:16:20

A log injection flaw was found in Keycloak. A text string may be injected through the authentication form when using the WebAuthn authentication mode. This issue may have a minor impact to the logs integrity.

  • EPSS 0.6%
  • Veröffentlicht 25.04.2024 13:15:50
  • Zuletzt bearbeitet 15.04.2026 00:35:42

A flaw was found in Keycloak, where it does not correctly validate its client step-up authentication in org.keycloak.authentication. This flaw allows a remote user authenticated with a password to register a false second authentication factor along w...

  • EPSS 0.45%
  • Veröffentlicht 17.04.2024 14:15:08
  • Zuletzt bearbeitet 15.04.2026 00:35:42

A flaw was found in Keycloak's OIDC component in the "checkLoginIframe," which allows unvalidated cross-origin messages. This flaw allows attackers to coordinate and send millions of requests in seconds using simple code, significantly impacting the ...

  • EPSS 0.5%
  • Veröffentlicht 17.04.2024 14:15:08
  • Zuletzt bearbeitet 15.04.2026 00:35:42

A flaw was found in Keycloak's redirect_uri validation logic. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to the theft of an access token, making it possible for the attacker to impersonate other ...

  • EPSS 1.55%
  • Veröffentlicht 17.04.2024 14:15:07
  • Zuletzt bearbeitet 30.06.2025 13:58:57

A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker to construct a malicious request to bypass validation and access other URLs and sensitive information within the domain ...

  • EPSS 0.77%
  • Veröffentlicht 29.02.2024 01:43:54
  • Zuletzt bearbeitet 14.02.2025 17:24:40

A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other accounts from logging in.

  • EPSS 0.95%
  • Veröffentlicht 26.01.2024 15:15:08
  • Zuletzt bearbeitet 21.11.2024 08:43:32

A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate o...

  • EPSS 0.69%
  • Veröffentlicht 21.12.2023 10:15:34
  • Zuletzt bearbeitet 21.11.2024 07:58:52

Keycloak's device authorization grant does not correctly validate the device code and client ID. An attacker client could abuse the missing validation to spoof a client consent request and trick an authorization admin into granting consent to a malic...