CVE-2026-9705
- EPSS 0.27%
- Veröffentlicht 25.06.2026 16:17:46
- Zuletzt bearbeitet 01.07.2026 18:38:08
A flaw was found in Keycloak's client registration service. A remote attacker, possessing a previously issued Registration Access Token (RAT), could exploit this vulnerability to re-enable a client that an administrator had explicitly disabled. This ...
CVE-2026-9086
- EPSS 0.42%
- Veröffentlicht 25.06.2026 16:16:46
- Zuletzt bearbeitet 01.07.2026 17:23:37
A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with `manage-client` permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is a...
CVE-2026-9099
- EPSS 0.29%
- Veröffentlicht 25.06.2026 16:16:43
- Zuletzt bearbeitet 01.07.2026 17:23:10
A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild() endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin...
CVE-2026-9800
- EPSS 0.3%
- Veröffentlicht 25.06.2026 16:16:27
- Zuletzt bearbeitet 02.07.2026 12:17:46
A flaw was found in Keycloak Policy Enforcer. This vulnerability allows any authenticated user to bypass all authorization policies, including role, scope, and User-Managed Access (UMA) permission checks. By including the configured access-denied pag...
CVE-2026-11986
- EPSS 0.2%
- Veröffentlicht 11.06.2026 16:47:11
- Zuletzt bearbeitet 11.06.2026 20:56:29
A flaw was found in the admin-ui-ext component of Keycloak, which provides extended administrative user interface capabilities. The issue occurs because certain bulk role-removal endpoints fail to perform granular permission checks when deleting role...
CVE-2026-11577
- EPSS 0.33%
- Veröffentlicht 08.06.2026 11:44:41
- Zuletzt bearbeitet 03.07.2026 10:16:22
Rejected reason: The reported behavior does not constitute a privilege escalation. Exploitation requires the attacker to already possess the manage-realm administrative role within the realm-management client. By design, the manage-realm role is inte...
CVE-2026-9088
- EPSS 0.35%
- Veröffentlicht 05.06.2026 07:52:52
- Zuletzt bearbeitet 26.06.2026 08:16:26
A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes t...
CVE-2026-9802
- EPSS 0.31%
- Veröffentlicht 28.05.2026 04:47:10
- Zuletzt bearbeitet 26.06.2026 08:16:35
A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, ...
CVE-2026-9803
- EPSS 0.42%
- Veröffentlicht 28.05.2026 04:47:10
- Zuletzt bearbeitet 26.06.2026 08:16:35
A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authorization: Bearer' header to any client registration e...
CVE-2026-9801
- EPSS 0.48%
- Veröffentlicht 28.05.2026 04:42:10
- Zuletzt bearbeitet 26.06.2026 08:16:34
A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol (LDAP) server or an attacker compromising an upstream LDAP server, could exploit this vu...