Redhat

Keycloak

226 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 0.21%
  • Veröffentlicht 28.05.2026 04:37:09
  • Zuletzt bearbeitet 03.06.2026 19:38:30

A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchan...

  • EPSS 0.19%
  • Veröffentlicht 28.05.2026 04:27:08
  • Zuletzt bearbeitet 03.06.2026 19:38:23

A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges t...

  • EPSS 0.29%
  • Veröffentlicht 28.05.2026 03:49:10
  • Zuletzt bearbeitet 30.06.2026 03:21:47

A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scop...

  • EPSS 0.33%
  • Veröffentlicht 28.05.2026 03:44:20
  • Zuletzt bearbeitet 26.06.2026 08:16:27

A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs....

  • EPSS 0.27%
  • Veröffentlicht 28.05.2026 03:44:18
  • Zuletzt bearbeitet 26.06.2026 08:16:27

A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, ...

  • EPSS 0.12%
  • Veröffentlicht 28.05.2026 03:44:17
  • Zuletzt bearbeitet 03.06.2026 18:26:57

A flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This allows a remo...

  • EPSS 0.21%
  • Veröffentlicht 28.05.2026 03:27:08
  • Zuletzt bearbeitet 26.06.2026 08:16:26

A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This...

  • EPSS 0.32%
  • Veröffentlicht 27.05.2026 12:56:00
  • Zuletzt bearbeitet 26.06.2026 08:16:26

A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently drop...

  • EPSS 0.21%
  • Veröffentlicht 27.05.2026 10:35:03
  • Zuletzt bearbeitet 03.06.2026 15:42:35

A flaw was found in Keycloak, an open-source identity and access management solution. When a client application is configured to accept broad redirect Uniform Resource Identifiers (URIs), a remote attacker can manipulate the authentication process by...

  • EPSS 0.31%
  • Veröffentlicht 20.05.2026 16:13:03
  • Zuletzt bearbeitet 26.06.2026 08:16:26

A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get lin...