CVE-2026-7571
- EPSS 0.34%
- Veröffentlicht 19.05.2026 11:01:26
- Zuletzt bearbeitet 03.06.2026 19:41:25
A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session r...
CVE-2026-7507
- EPSS 0.42%
- Veröffentlicht 19.05.2026 11:01:25
- Zuletzt bearbeitet 30.06.2026 03:21:21
A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leverag...
CVE-2026-7504
- EPSS 0.5%
- Veröffentlicht 19.05.2026 11:01:19
- Zuletzt bearbeitet 30.06.2026 03:21:21
A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information ...
CVE-2026-37982
- EPSS 0.44%
- Veröffentlicht 19.05.2026 10:52:32
- Zuletzt bearbeitet 03.06.2026 19:53:41
A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can...
CVE-2026-37979
- EPSS 0.37%
- Veröffentlicht 19.05.2026 10:52:30
- Zuletzt bearbeitet 03.06.2026 19:50:44
A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can re...
CVE-2026-37978
- EPSS 0.4%
- Veröffentlicht 19.05.2026 10:52:29
- Zuletzt bearbeitet 03.06.2026 20:04:25
A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role per...
CVE-2026-7307
- EPSS 0.74%
- Veröffentlicht 19.05.2026 10:52:24
- Zuletzt bearbeitet 30.06.2026 03:21:19
A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to ...
CVE-2026-37981
- EPSS 0.37%
- Veröffentlicht 19.05.2026 10:28:24
- Zuletzt bearbeitet 03.06.2026 19:53:45
A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally identi...
CVE-2026-4630
- EPSS 0.3%
- Veröffentlicht 19.05.2026 10:28:15
- Zuletzt bearbeitet 03.06.2026 19:53:36
A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier (UUID) belongin...
CVE-2026-8922
- EPSS 0.28%
- Veröffentlicht 19.05.2026 06:27:35
- Zuletzt bearbeitet 26.06.2026 08:16:25
A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should...