| CVE-2014-3709 |
high |
8.8 |
8.8 |
9y ago |
JBoss Keycloak CSRF Vulnerability |
|
| CVE-2026-2603 |
high |
— |
8.0 |
2mo ago |
Keycloak: Unauthorized authentication via disabled SAML Identity Provider |
|
| CVE-2021-3424 |
high |
— |
8.0 |
4y ago |
Keycloak is vulnerable to IDN homograph attack |
|
| CVE-2025-7365 |
high |
7.1 |
7.1 |
11mo ago |
Keycloak phishing attack via email verification step in first login flow |
|
| CVE-2026-37977 |
unknown |
— |
— |
2mo ago |
Keycloak vulnerable to information disclosure via CORS header injection due to unvalidated JWT azp claim |
|
| CVE-2026-4636 |
unknown |
— |
— |
2mo ago |
Keycloak: UMA Policy Resource Injection Allows Unauthorized Cross-User Permission Grants |
|
| CVE-2026-4282 |
unknown |
— |
— |
2mo ago |
Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw |
|
| CVE-2026-4634 |
unknown |
— |
— |
2mo ago |
Keycloak: Application-Level DoS via Scope Processing |
|
| CVE-2026-3872 |
unknown |
— |
— |
2mo ago |
Keycloak: Redirect URI validation bypass via ..;/ path traversal in OIDC auth endpoint |
|
| CVE-2026-3121 |
unknown |
— |
— |
2mo ago |
Keycloak: manage-clients permission escalates to full realm admin access |
|
| CVE-2026-4628 |
unknown |
— |
— |
2mo ago |
Keycloak has Improper Access Control that allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false |
|
| CVE-2026-3429 |
unknown |
— |
— |
3mo ago |
Keycloak: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API |
|
| CVE-2025-12150 |
unknown |
— |
— |
3mo ago |
Keycloak REST Services has a WebAuthn Attestation Statement Verification Bypass |
|
| CVE-2026-2733 |
unknown |
— |
— |
3mo ago |
Keycloak: Missing Check on Disabled Client for Docker Registry Protocol |
|
| CVE-2025-14778 |
unknown |
— |
— |
4mo ago |
Keycloak Affected by Broken Access Control Vulnerability in the UserManagedPermissionService |
|
| CVE-2026-1529 |
unknown |
— |
— |
4mo ago |
Keycloak affected by improper invitation token validation |
|
| CVE-2026-1486 |
unknown |
— |
— |
4mo ago |
Keycloak fails to verify if an Identity Provider (IdP) is enabled before issuing tokens |
|
| CVE-2025-13881 |
unknown |
— |
— |
4mo ago |
Keycloak Admin API allows an administrator with limited privileges to retrieve sensitive custom attributes |
|
| CVE-2026-1190 |
unknown |
— |
— |
4mo ago |
Keycloak's missing timestamp validation allows attackers to extend SAML response validity periods |
|
| CVE-2025-14083 |
unknown |
— |
— |
4mo ago |
Keycloak Admin REST API exposes backend schema and rules |
|
| CVE-2025-14082 |
unknown |
— |
— |
6mo ago |
Keycloak Admin REST (Representational State Transfer) API does not properly enforce permissions |
|
| CVE-2025-12110 |
unknown |
— |
— |
7mo ago |
Keycloak does not invalidate offline sessions when the offline_access scope is removed |
|
| CVE-2025-11429 |
unknown |
— |
— |
7mo ago |
Keycloak does not invalidate sessions when "Remember Me" is disabled |
|
| CVE-2025-3910 |
unknown |
— |
— |
1y ago |
Keycloak vulnerable to two factor authentication bypass |
|
| CVE-2025-3501 |
unknown |
— |
— |
1y ago |
Keycloak hostname verification |
|
| CVE-2024-7341 |
unknown |
— |
— |
2y ago |
Keycloak has session fixation in Elytron SAML adapters |
|
| CVE-2024-4629 |
unknown |
— |
— |
2y ago |
Keycloak Services has a potential bypass of brute force protection |
|
| CVE-2024-1722 |
unknown |
— |
— |
2y ago |
Keycloak Denial of Service via account lockout |
|
| CVE-2021-3754 |
unknown |
— |
— |
2y ago |
Keycloak's improper input validation allows using email as username |
|
| CVE-2024-3656 |
unknown |
— |
— |
2y ago |
Keycloak's admin API allows low privilege users to use administrative functions |
|
| CVE-2024-4540 |
unknown |
— |
— |
2y ago |
Keycloak exposes sensitive information in Pushed Authorization Requests (PAR) |
|
| CVE-2023-0657 |
unknown |
— |
— |
2y ago |
Keycloak vulnerable to impersonation via logout token exchange |
|
| CVE-2023-6787 |
unknown |
— |
— |
2y ago |
Keycloak vulnerable to session hijacking via re-authentication |
|
| CVE-2024-1132 |
unknown |
— |
— |
2y ago |
Keycloak path traversal vulnerability in redirection validation |
|
| CVE-2023-6484 |
unknown |
— |
— |
2y ago |
Keycloak vulnerable to log Injection during WebAuthn authentication or registration |
|
| CVE-2023-6544 |
unknown |
— |
— |
2y ago |
Keycloak Authorization Bypass vulnerability |
|
| CVE-2023-6717 |
unknown |
— |
— |
2y ago |
Keycloak Cross-site Scripting (XSS) via assertion consumer service URL in SAML POST-binding flow |
|
| CVE-2023-3597 |
unknown |
— |
— |
2y ago |
Keycloak secondary factor bypass in step-up authentication |
|
| CVE-2023-6134 |
unknown |
— |
— |
3y ago |
Keycloak vulnerable to reflected XSS via wildcard in OIDC redirect_uri |
|
| CVE-2022-2232 |
unknown |
— |
— |
3y ago |
Keycloak vulnerable to LDAP Injection on UsernameForm Login |
|
| CVE-2023-2422 |
unknown |
— |
— |
3y ago |
Keycloak vulnerable to Improper Client Certificate Validation for OAuth/OpenID clients |
|
| CVE-2022-4361 |
unknown |
— |
— |
3y ago |
Keycloak vulnerable to cross-site scripting when validating URI-schemes on SAML and OIDC |
|
| CVE-2023-2585 |
unknown |
— |
— |
3y ago |
Client Spoofing within the Keycloak Device Authorisation Grant |
|
| CVE-2023-0264 |
unknown |
— |
— |
3y ago |
Keycloak vulnerable to user impersonation via stolen UUID code |
|
| CVE-2014-3652 |
unknown |
— |
— |
4y ago |
JBoss KeyCloak Open Redirect |
|
| CVE-2022-1245 |
unknown |
— |
— |
4y ago |
Keycloak vulnerable to privilege escalation on Token Exchange feature |
|
| CVE-2020-10776 |
unknown |
— |
— |
4y ago |
Cross-site Scripting in keycloak |
|
| CVE-2021-4133 |
unknown |
— |
— |
4y ago |
Improper Authorization in Keycloak |
|