{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/keycloak/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["keycloak","xss","cross-site scripting","cloud"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA Cross-Site Scripting (XSS) vulnerability exists within Keycloak, a widely-used open-source identity and access management solution. This vulnerability allows a remote, authenticated attacker to inject malicious scripts into web pages viewed by other users. The attacker must possess valid credentials to initially access the vulnerable Keycloak instance. While the specific version affected is not provided in this advisory, it\u0026rsquo;s crucial for organizations using Keycloak to investigate and apply necessary patches or mitigations. The impact of successful exploitation ranges from defacement to sensitive data theft and account compromise. Defenders should prioritize patching Keycloak installations and implementing input validation to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker authenticates to the Keycloak instance with valid credentials.\u003c/li\u003e\n\u003cli\u003eAttacker identifies a vulnerable input field or parameter within the Keycloak application (e.g., user profile, group name, etc.).\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious payload containing JavaScript code.\u003c/li\u003e\n\u003cli\u003eAttacker injects the malicious payload into the vulnerable input field.\u003c/li\u003e\n\u003cli\u003eThe Keycloak application stores the malicious payload without proper sanitization.\u003c/li\u003e\n\u003cli\u003eA victim user (e.g., another authenticated user or an administrator) accesses the page containing the injected payload.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s browser executes the malicious JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe attacker can then steal cookies, redirect the user to a malicious site, or perform other actions on behalf of the victim.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this XSS vulnerability can lead to several negative consequences. An attacker could potentially steal session cookies, allowing them to impersonate other users, including administrators. This could grant them unauthorized access to sensitive data, configuration settings, and management functions. Furthermore, the attacker could deface the Keycloak interface, inject phishing scams, or redirect users to malicious websites. The number of victims depends on the number of users accessing the page with the injected XSS payload.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement input validation and output encoding to prevent XSS attacks within Keycloak.\u003c/li\u003e\n\u003cli\u003eReview Keycloak access logs for suspicious activity related to user profiles and injected scripts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect possible XSS attempts in Keycloak logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T07:33:56Z","date_published":"2026-04-15T07:33:56Z","id":"/briefs/2026-04-keycloak-xss/","summary":"An authenticated remote attacker can exploit a vulnerability in Keycloak to perform a Cross-Site Scripting attack, potentially leading to unauthorized access and data compromise.","title":"Keycloak Cross-Site Scripting Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-keycloak-xss/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-4636"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["keycloak","uma","policy-bypass","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability, identified as CVE-2026-4636, has been discovered in Keycloak, a popular open-source identity and access management solution. This flaw allows an authenticated user who possesses the \u003ccode\u003euma_protection\u003c/code\u003e role to bypass User-Managed Access (UMA) policy validation. By exploiting this vulnerability, an attacker can manipulate policy creation requests to include resource identifiers that belong to other users. This circumvents the intended access controls and enables the attacker to gain unauthorized permissions to resources owned by victims. The scope of the attack is limited to Keycloak instances where UMA is enabled and users have the \u003ccode\u003euma_protection\u003c/code\u003e role. This can lead to significant data breaches and unauthorized actions performed under the guise of legitimate users.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to Keycloak with an account that has the \u003ccode\u003euma_protection\u003c/code\u003e role.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a request to create a new UMA policy.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts the policy creation request to include resource identifiers that belong to other users. This is done even though the URL path in the request specifies a resource owned by the attacker.\u003c/li\u003e\n\u003cli\u003eThe UMA policy validation mechanism fails to properly verify the ownership of the included resource identifiers.\u003c/li\u003e\n\u003cli\u003eKeycloak creates the UMA policy, granting the attacker unauthorized permissions to the victim-owned resources.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains a Requesting Party Token (RPT) for the victim\u0026rsquo;s resources using the newly created policy.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the RPT to access the victim\u0026rsquo;s resources, potentially accessing sensitive information.\u003c/li\u003e\n\u003cli\u003eThe attacker performs unauthorized actions on the victim\u0026rsquo;s resources, leveraging the gained permissions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4636 allows an attacker to gain unauthorized access to resources managed by Keycloak. This can lead to the exposure of sensitive data, such as personal information, financial records, or confidential business documents. The number of affected users depends on the scope of the attacker\u0026rsquo;s access and the number of resources they can compromise. The impact could range from individual account compromise to widespread data breaches affecting entire organizations relying on Keycloak for access control.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of Keycloak that resolves CVE-2026-4636 as soon as it becomes available.\u003c/li\u003e\n\u003cli\u003eMonitor Keycloak logs for suspicious UMA policy creation requests that include resource identifiers not owned by the requesting user. Create a Sigma rule based on webserver logs and filter for POST requests on \u003ccode\u003e/auth/realms/\u0026lt;realm\u0026gt;/authz/protection/uma-policy/\u003c/code\u003e with suspicious resource IDs in the body.\u003c/li\u003e\n\u003cli\u003eImplement additional access controls and validation mechanisms to verify the ownership of resource identifiers during UMA policy creation.\u003c/li\u003e\n\u003cli\u003eReview existing UMA policies to identify and remove any policies that may have been created maliciously using this vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T13:16:27Z","date_published":"2026-04-02T13:16:27Z","id":"/briefs/2026-04-keycloak-uma-bypass/","summary":"CVE-2026-4636 describes a vulnerability in Keycloak where an authenticated user with the uma_protection role can bypass User-Managed Access (UMA) policy validation, leading to unauthorized access to victim-owned resources.","title":"Keycloak UMA Policy Bypass Vulnerability (CVE-2026-4636)","url":"https://feed.craftedsignal.io/briefs/2026-04-keycloak-uma-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-4634"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-4634","denial-of-service","keycloak"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4634 describes a denial-of-service vulnerability affecting Keycloak servers. This vulnerability allows an unauthenticated attacker to exhaust server resources by sending a specially crafted HTTP POST request to the OpenID Connect (OIDC) token endpoint. The malicious request includes an excessively long scope parameter, which forces the Keycloak server to consume significant processing time and memory. This can result in prolonged processing times for legitimate requests and ultimately a denial of service for all users of the affected Keycloak instance. The vulnerability was reported on April 2, 2026, and affects unpatched versions of Keycloak. Defenders should prioritize patching and consider implementing rate limiting to mitigate the impact of this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Keycloak instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP POST request targeted at the OIDC token endpoint (e.g., \u003ccode\u003e/auth/realms/{realm-name}/protocol/openid-connect/token\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe attacker includes a \u003ccode\u003escope\u003c/code\u003e parameter in the POST request.\u003c/li\u003e\n\u003cli\u003eThe attacker sets the value of the \u003ccode\u003escope\u003c/code\u003e parameter to an extremely long string, causing the Keycloak server to allocate excessive resources when processing it.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious POST request to the Keycloak server.\u003c/li\u003e\n\u003cli\u003eThe Keycloak server attempts to process the excessively long \u003ccode\u003escope\u003c/code\u003e parameter, consuming CPU and memory resources.\u003c/li\u003e\n\u003cli\u003eRepeated requests from the attacker further exhaust server resources.\u003c/li\u003e\n\u003cli\u003eThe Keycloak server becomes unresponsive, leading to a denial of service for legitimate users.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4634 results in a denial-of-service condition, rendering the Keycloak server unavailable. This impacts all applications and services relying on Keycloak for authentication and authorization. The number of affected users depends on the size and criticality of the Keycloak deployment. Organizations in any sector using Keycloak are potentially vulnerable. Unavailability can disrupt business operations, impacting productivity and revenue.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch released by Red Hat/Keycloak to address CVE-2026-4634 to eliminate the vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement rate limiting on the OIDC token endpoint to restrict the number of requests from a single IP address within a given timeframe.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to the OIDC token endpoint with unusually long \u003ccode\u003escope\u003c/code\u003e parameters to detect potential exploitation attempts and deploy the Sigma rule \u003ccode\u003eDetect Suspiciously Long Scope Parameter\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eConsider deploying a web application firewall (WAF) rule to block requests with excessively long scope parameters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T13:16:27Z","date_published":"2026-04-02T13:16:27Z","id":"/briefs/2026-04-keycloak-dos/","summary":"An unauthenticated attacker can cause a denial-of-service on Keycloak servers by sending a crafted POST request to the OIDC token endpoint with an excessively long scope parameter, leading to high resource consumption.","title":"Keycloak Denial-of-Service Vulnerability via Excessive Scope Parameter (CVE-2026-4634)","url":"https://feed.craftedsignal.io/briefs/2026-04-keycloak-dos/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-3872"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["keycloak","redirect-uri-bypass","cve-2026-3872","authentication","authorization"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-3872 is a security flaw found in Keycloak, a popular open-source identity and access management solution. This vulnerability allows a malicious actor who has control over another path on the same web server hosting Keycloak to circumvent the allowed path restrictions in redirect URIs that use a wildcard. By exploiting this weakness, an attacker can potentially redirect a user to a malicious site after authentication, intercept the access token, and gain unauthorized access to the user\u0026rsquo;s resources. The vulnerability could lead to the disclosure of sensitive information and potentially compromise user accounts. This was published on April 2, 2026, and has a CVSS v3.1 score of 7.3.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains control of a path on the same web server hosting the Keycloak instance. This could be achieved through various means, such as exploiting a separate vulnerability in another application hosted on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL that exploits the wildcard redirect URI validation flaw in Keycloak. The crafted URL includes a redirect URI that bypasses the intended restrictions.\u003c/li\u003e\n\u003cli\u003eA legitimate user initiates an authentication request to Keycloak, potentially through a vulnerable application relying on Keycloak for authentication.\u003c/li\u003e\n\u003cli\u003eKeycloak processes the authentication request and, due to the vulnerability, accepts the attacker\u0026rsquo;s crafted redirect URI as valid.\u003c/li\u003e\n\u003cli\u003eKeycloak redirects the user to the attacker-controlled URL after successful authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server captures the access token from the redirect URI.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen access token to impersonate the user and access protected resources.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive information or performs actions on behalf of the user, leading to information disclosure or other malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-3872 can lead to the theft of access tokens, enabling unauthorized access to user accounts and sensitive data. This could result in the compromise of user privacy, financial loss, or reputational damage for organizations relying on affected Keycloak instances. The impact is significant because Keycloak is used across various sectors to secure web applications and APIs.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patches or updates provided by Red Hat for Keycloak to address CVE-2026-3872. Refer to the Red Hat advisory linked in the references for specific instructions.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect exploitation attempts of CVE-2026-3872 based on suspicious redirect URIs in web server logs.\u003c/li\u003e\n\u003cli\u003eReview and harden the configuration of redirect URIs in Keycloak, avoiding the use of wildcards where possible and implementing stricter validation rules.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to redirect URIs, looking for unusual patterns or attempts to access unauthorized resources.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T13:16:26Z","date_published":"2026-04-02T13:16:26Z","id":"/briefs/2026-04-keycloak-redirect-bypass/","summary":"CVE-2026-3872 is a vulnerability in Keycloak that allows an attacker controlling a path on the same web server to bypass URI redirect validation using a wildcard, potentially leading to access token theft and information disclosure.","title":"Keycloak Redirect URI Bypass Vulnerability (CVE-2026-3872)","url":"https://feed.craftedsignal.io/briefs/2026-04-keycloak-redirect-bypass/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.4,"id":"CVE-2026-4282"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["keycloak","privilege-escalation","authorization"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-4282 identifies a critical vulnerability within the Keycloak authentication server, specifically affecting the SingleUseObjectProvider. This component, responsible for managing single-use key-value pairs, suffers from a lack of sufficient type and namespace isolation. The absence of proper isolation mechanisms allows a remote, unauthenticated attacker to manipulate the system by forging authorization codes. Successful exploitation allows for the creation of access tokens with administrative privileges. The vulnerability was published on April 2, 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a crafted request to the Keycloak server to initiate the authorization flow.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the lack of type and namespace isolation in the SingleUseObjectProvider.\u003c/li\u003e\n\u003cli\u003eThe attacker forges a valid authorization code using the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker presents the forged authorization code to the token endpoint.\u003c/li\u003e\n\u003cli\u003eKeycloak validates the forged code due to the flawed SingleUseObjectProvider logic.\u003c/li\u003e\n\u003cli\u003eThe attacker receives an access token with elevated (admin) privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the admin-capable access token to perform administrative actions.\u003c/li\u003e\n\u003cli\u003eThe attacker gains full control over Keycloak resources and user data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-4282 allows a remote attacker to gain full administrative control over a Keycloak instance. This can lead to the compromise of all applications and services relying on Keycloak for authentication and authorization. The impact includes data breaches, account takeovers, and the potential for widespread service disruption. Given Keycloak\u0026rsquo;s prevalence in securing web applications and APIs, the vulnerability poses a significant risk to organizations using affected versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or upgrade to a version of Keycloak that resolves CVE-2026-4282 as soon as it becomes available from Red Hat.\u003c/li\u003e\n\u003cli\u003eMonitor Keycloak logs (webserver category, linux product) for suspicious requests to the authorization and token endpoints indicative of authorization code forging attempts.\u003c/li\u003e\n\u003cli\u003eImplement stricter input validation and sanitization on the authorization code parameter to mitigate the vulnerability.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-02T13:16:26Z","date_published":"2026-04-02T13:16:26Z","id":"/briefs/2026-04-keycloak-privesc/","summary":"An unauthenticated attacker can exploit CVE-2026-4282 in Keycloak's SingleUseObjectProvider to forge authorization codes, leading to privilege escalation and the creation of admin-capable access tokens.","title":"Keycloak Authorization Code Forging Vulnerability (CVE-2026-4282)","url":"https://feed.craftedsignal.io/briefs/2026-04-keycloak-privesc/"}],"language":"en","title":"CraftedSignal Threat Feed — Keycloak","version":"https://jsonfeed.org/version/1.1"}