CVE-2026-9798
- EPSS 0.21%
- Veröffentlicht 28.05.2026 04:37:09
- Zuletzt bearbeitet 03.06.2026 19:38:30
A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchan...
CVE-2026-9796
- EPSS 0.19%
- Veröffentlicht 28.05.2026 04:27:08
- Zuletzt bearbeitet 03.06.2026 19:38:23
A flaw was found in Keycloak. An authenticated administrator with the `manage-clients` role can exploit a Time-of-check to time-of-use (TOCTOU) vulnerability in the name-based admin role checks. This allows the attacker to escalate their privileges t...
CVE-2026-9795
- EPSS 0.29%
- Veröffentlicht 28.05.2026 03:49:10
- Zuletzt bearbeitet 30.06.2026 03:21:47
A flaw was found in Keycloak's Fine-Grained Admin Permissions (FGAPv2) feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scop...
CVE-2026-9794
- EPSS 0.33%
- Veröffentlicht 28.05.2026 03:44:20
- Zuletzt bearbeitet 26.06.2026 08:16:27
A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP (Security Assertion Markup Language Enhanced Client or Proxy) endpoint with varying client IDs....
CVE-2026-9792
- EPSS 0.27%
- Veröffentlicht 28.05.2026 03:44:18
- Zuletzt bearbeitet 26.06.2026 08:16:27
A flaw was found in Keycloak's Client Policies, specifically within the `org.keycloak.protocol.oidc` component. When certain condition providers (client-type, client-roles, client-attributes, client-scopes) are used to enforce security restrictions, ...
CVE-2026-9793
- EPSS 0.12%
- Veröffentlicht 28.05.2026 03:44:17
- Zuletzt bearbeitet 03.06.2026 18:26:57
A flaw was found in Keycloak. When a JSON Web Encryption (JWE) encrypted request object is submitted, Keycloak may incorrectly process unsigned claims if the decrypted content is raw JSON, bypassing the configured signature policy. This allows a remo...
CVE-2026-9791
- EPSS 0.21%
- Veröffentlicht 28.05.2026 03:27:08
- Zuletzt bearbeitet 26.06.2026 08:16:26
A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect (OIDC) token with the 'organization' scope. This...
CVE-2026-9704
- EPSS 0.32%
- Veröffentlicht 27.05.2026 12:56:00
- Zuletzt bearbeitet 26.06.2026 08:16:26
A flaw was found in Keycloak. An authenticated user with low privileges can exploit this vulnerability by sending an oversized subject_token JSON Web Token (JWT) to the TokenEndpoint. When the token exceeds a 4000-character limit, it is silently drop...
CVE-2026-9689
- EPSS 0.21%
- Veröffentlicht 27.05.2026 10:35:03
- Zuletzt bearbeitet 03.06.2026 15:42:35
A flaw was found in Keycloak, an open-source identity and access management solution. When a client application is configured to accept broad redirect Uniform Resource Identifiers (URIs), a remote attacker can manipulate the authentication process by...
CVE-2026-9087
- EPSS 0.31%
- Veröffentlicht 20.05.2026 16:13:03
- Zuletzt bearbeitet 26.06.2026 08:16:26
A flaw was found in Keycloak. The cross-session verification proof is keyed only by (local userId, idpAlias) and is not bound to the upstream identity that was actually verified, so a second upstream account on the same IdP can consume it and get lin...