Redhat

Keycloak

226 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 0.34%
  • Veröffentlicht 19.05.2026 11:01:26
  • Zuletzt bearbeitet 03.06.2026 19:41:25

A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect (OIDC) clients. By manipulating client data during a session r...

  • EPSS 0.42%
  • Veröffentlicht 19.05.2026 11:01:25
  • Zuletzt bearbeitet 30.06.2026 03:21:21

A session fixation vulnerability was found in Keycloak's login-actions endpoints. An unauthenticated attacker could exploit this flaw by pre-creating an authentication session and tricking a victim into visiting a maliciously crafted link. By leverag...

  • EPSS 0.5%
  • Veröffentlicht 19.05.2026 11:01:19
  • Zuletzt bearbeitet 30.06.2026 03:21:21

A flaw was found in Keycloak's URL validation logic during redirect operations. By crafting a malicious request, an attacker could bypass validation to redirect users to unauthorized URLs, potentially leading to the exposure of sensitive information ...

  • EPSS 0.44%
  • Veröffentlicht 19.05.2026 10:52:32
  • Zuletzt bearbeitet 03.06.2026 19:53:41

A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay `ExecuteActionsActionToken` tokens within Keycloak's WebAuthn (Web Authentication) flow. By intercepting an execute-actions email link, an attacker can...

  • EPSS 0.37%
  • Veröffentlicht 19.05.2026 10:52:30
  • Zuletzt bearbeitet 03.06.2026 19:50:44

A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect (OIDC) token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can re...

  • EPSS 0.4%
  • Veröffentlicht 19.05.2026 10:52:29
  • Zuletzt bearbeitet 03.06.2026 20:04:25

A flaw was found in Keycloak. A low-privilege administrator with the 'view-clients' role can exploit this by invoking the 'evaluate-scopes' Admin API endpoints with an arbitrary user ID (userId) parameter. This vulnerability allows for cross-role per...

  • EPSS 0.74%
  • Veröffentlicht 19.05.2026 10:52:24
  • Zuletzt bearbeitet 30.06.2026 03:21:19

A flaw was found in Keycloak. A remote, unauthenticated attacker can send a specially crafted XML input to the Security Assertion Markup Language (SAML) endpoint. This malicious input can cause high CPU usage and worker thread starvation, leading to ...

  • EPSS 0.37%
  • Veröffentlicht 19.05.2026 10:28:24
  • Zuletzt bearbeitet 03.06.2026 19:53:45

A flaw was found in Keycloak. A broken access control vulnerability in the Account Resources user lookup endpoint allows a remote authenticated user, who owns at least one User-Managed Access (UMA) resource, to enumerate and harvest personally identi...

  • EPSS 0.3%
  • Veröffentlicht 19.05.2026 10:28:15
  • Zuletzt bearbeitet 03.06.2026 19:53:36

A flaw was found in Keycloak. An authenticated client could exploit an Insecure Direct Object Reference (IDOR) vulnerability in the Authorization Services Protection API endpoint. By knowing or obtaining a resource's unique identifier (UUID) belongin...

  • EPSS 0.28%
  • Veröffentlicht 19.05.2026 06:27:35
  • Zuletzt bearbeitet 26.06.2026 08:16:25

A flaw was found in Keycloak. When both realm-level and client-level `notBefore` revocation policies are configured, Keycloak's OpenID Connect (OIDC) Introspection feature fails to properly honor the realm-level policy. This allows tokens that should...