Skip to content
Threat Feed
Subscribe

Tag

Keycloak

12 briefs RSS
high advisory

Keycloak Vulnerability Allows Data Confidentiality Breach and Security Policy Bypass

A vulnerability in Keycloak versions prior to 26.2.14, 26.4.10, and 26.5.5 allows an attacker to cause a breach of data confidentiality and bypass the security policy, as tracked by CVE-2026-2092.

Keycloak +2 vulnerability data breach security policy bypass
2r 1t 1c
medium threat

Keycloak OIDC Implicit Flow Bypass Vulnerability (CVE-2026-7571)

CVE-2026-7571 describes a vulnerability in Keycloak where a low-privilege user can bypass security controls intended to disable the implicit flow in OpenID Connect (OIDC) clients by manipulating client data during session restart, potentially exposing access tokens.

Keycloak oidc implicit-flow cve-2026-7571 credential-access
2r 1t 1c
high advisory

CVE-2026-7507: Keycloak Session Fixation Vulnerability in Login Actions Endpoints

A session fixation vulnerability in Keycloak's /login-actions/restart endpoint allows an unauthenticated attacker to hijack a user's session by crafting a malicious link that resets the authentication flow, potentially leading to account takeover.

Keycloak session fixation account takeover cve-2026-7507
2r 1t 1c
high advisory

Keycloak Open Redirect Vulnerability (CVE-2026-7504)

A vulnerability in Keycloak's URL validation allows attackers to redirect users to unauthorized URLs by exploiting discrepancies in the handling of the user-info component within URLs, potentially leading to sensitive information exposure.

Keycloak open-redirect cve cloud
2r 1t 1c
medium advisory

Keycloak Security Bypass Vulnerability

An authenticated remote attacker can exploit a vulnerability in Keycloak to bypass security measures.

Keycloak security-bypass authentication
2r 1t
medium advisory

Keycloak Vulnerability Allows Arbitrary Email Sending

An anonymous, remote attacker can exploit a vulnerability in Keycloak to send arbitrary emails, potentially leading to phishing or social engineering attacks.

Keycloak email vulnerability spoofing
2r 1t
critical advisory

Multiple Vulnerabilities in Red Hat Build of Keycloak

Multiple vulnerabilities in Red Hat Build of Keycloak could allow an attacker to bypass authentication, gain elevated privileges, disclose sensitive information, cause a denial of service condition, execute arbitrary code, or manipulate data.

Build of Keycloak keycloak vulnerability authentication-bypass
2r 5t
medium advisory

Keycloak Cross-Site Scripting Vulnerability

An authenticated remote attacker can exploit a vulnerability in Keycloak to perform a Cross-Site Scripting attack, potentially leading to unauthorized access and data compromise.

keycloak xss cross-site scripting cloud
2r 1t
high advisory

Keycloak UMA Policy Bypass Vulnerability (CVE-2026-4636)

CVE-2026-4636 describes a vulnerability in Keycloak where an authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation, leading to unauthorized access to victim-owned resources.

keycloak uma policy-bypass privilege-escalation
2r 3t 1c
high advisory

Keycloak Denial-of-Service Vulnerability via Excessive Scope Parameter (CVE-2026-4634)

An unauthenticated attacker can cause a denial-of-service on Keycloak servers by sending a crafted POST request to the OIDC token endpoint with an excessively long scope parameter, leading to high resource consumption.

cve-2026-4634 denial-of-service keycloak
2r 1t 1c
medium advisory

Keycloak Redirect URI Bypass Vulnerability (CVE-2026-3872)

CVE-2026-3872 is a vulnerability in Keycloak that allows an attacker controlling a path on the same web server to bypass URI redirect validation using a wildcard, potentially leading to access token theft and information disclosure.

keycloak redirect-uri-bypass cve-2026-3872 authentication authorization
2r 1t 1c
high advisory

Keycloak Authorization Code Forging Vulnerability (CVE-2026-4282)

An unauthenticated attacker can exploit CVE-2026-4282 in Keycloak's SingleUseObjectProvider to forge authorization codes, leading to privilege escalation and the creation of admin-capable access tokens.

keycloak privilege-escalation authorization
2r 1t 1c