Redhat

Keycloak

226 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
  • EPSS 0.33%
  • Veröffentlicht 11.03.2026 05:36:43
  • Zuletzt bearbeitet 07.05.2026 18:30:50

A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were c...

  • EPSS 0.47%
  • Veröffentlicht 05.03.2026 18:28:36
  • Zuletzt bearbeitet 30.06.2026 03:19:10

A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an Identity Provider (IdP)-initiated broker landing target, it can still complete the login process and establish a Single...

  • EPSS 0.33%
  • Veröffentlicht 05.03.2026 18:27:43
  • Zuletzt bearbeitet 30.06.2026 03:19:09

A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a prev...

  • EPSS 0.2%
  • Veröffentlicht 27.02.2026 08:10:15
  • Zuletzt bearbeitet 05.03.2026 02:19:42

A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none"...

  • EPSS 0.31%
  • Veröffentlicht 27.02.2026 07:30:26
  • Zuletzt bearbeitet 05.03.2026 02:03:32

A flaw was found in Keycloak. An administrator with `manage-users` permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthori...

  • EPSS 0.33%
  • Veröffentlicht 19.02.2026 07:48:08
  • Zuletzt bearbeitet 15.04.2026 00:35:42

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does no...

  • EPSS 0.14%
  • Veröffentlicht 10.02.2026 11:16:09
  • Zuletzt bearbeitet 15.04.2026 00:35:42

A flaw was found in Keycloak. When the logging format is configured to a verbose, user-supplied pattern (such as the pre-defined 'long' pattern), sensitive headers including Authorization and Cookie are disclosed to the logs in cleartext. An attacker...

  • EPSS 0.29%
  • Veröffentlicht 09.02.2026 18:58:29
  • Zuletzt bearbeitet 15.04.2026 00:35:42

A flaw was found in Keycloak. A significant Broken Access Control vulnerability exists in the UserManagedPermissionService (UMA Protection API). When updating or deleting a UMA policy associated with multiple resources, the authorization check only v...

  • EPSS 0.45%
  • Veröffentlicht 09.02.2026 18:36:15
  • Zuletzt bearbeitet 30.06.2026 03:17:17

A flaw was found in Keycloak. An attacker can exploit this vulnerability by modifying the organization ID and target email within a legitimate invitation token's JSON Web Token (JWT) payload. This lack of cryptographic signature verification allows t...

  • EPSS 0.45%
  • Veröffentlicht 09.02.2026 18:36:10
  • Zuletzt bearbeitet 30.06.2026 03:17:16

A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider (IdP) is enabled before issuing tokens. The issuer lookup mechanism (lookupIdentityProviderFromIssuer) r...