| CVE-2014-3709 |
high |
8.8 |
8.8 |
9y ago |
JBoss Keycloak CSRF Vulnerability |
|
| CVE-2026-2603 |
high |
— |
8.0 |
2mo ago |
Keycloak: Unauthorized authentication via disabled SAML Identity Provider |
|
| CVE-2021-3424 |
high |
— |
8.0 |
4y ago |
Keycloak is vulnerable to IDN homograph attack |
|
| CVE-2025-7365 |
high |
7.1 |
7.1 |
11mo ago |
Keycloak phishing attack via email verification step in first login flow |
|
| CVE-2025-7784 |
medium |
6.5 |
6.5 |
10mo ago |
Keycloak Privilege Escalation Vulnerability in Admin Console (FGAPv2 Enabled) |
|
| CVE-2024-10270 |
medium |
6.5 |
6.5 |
2y ago |
org.keycloak:keycloak-services has Inefficient Regular Expression Complexity |
|
| CVE-2026-7500 |
medium |
5.4 |
5.4 |
28d ago |
Keycloak has a Forced Browsing issue |
|
| CVE-2025-1391 |
medium |
5.4 |
5.4 |
1y ago |
Improper Authorization in Keycloak Organization Mapper Allows Unauthorized Organization Claims |
|
| CVE-2025-2559 |
medium |
4.9 |
4.9 |
1y ago |
Keycloak Denial of Service (DoS) Vulnerability via JWT Token Cache |
|
| CVE-2026-3911 |
low |
2.7 |
2.7 |
3mo ago |
Keycloak: Information disclosure of disabled user attributes via administrative endpoint |
|
| CVE-2026-37977 |
unknown |
— |
— |
2mo ago |
Keycloak vulnerable to information disclosure via CORS header injection due to unvalidated JWT azp claim |
|
| CVE-2026-3121 |
unknown |
— |
— |
2mo ago |
Keycloak: manage-clients permission escalates to full realm admin access |
|
| CVE-2026-4628 |
unknown |
— |
— |
2mo ago |
Keycloak has Improper Access Control that allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false |
|
| CVE-2026-3429 |
unknown |
— |
— |
3mo ago |
Keycloak: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API |
|
| CVE-2025-12150 |
unknown |
— |
— |
3mo ago |
Keycloak REST Services has a WebAuthn Attestation Statement Verification Bypass |
|
| CVE-2026-1486 |
unknown |
— |
— |
4mo ago |
Keycloak fails to verify if an Identity Provider (IdP) is enabled before issuing tokens |
|
| CVE-2026-1190 |
unknown |
— |
— |
4mo ago |
Keycloak's missing timestamp validation allows attackers to extend SAML response validity periods |
|
| CVE-2025-14083 |
unknown |
— |
— |
4mo ago |
Keycloak Admin REST API exposes backend schema and rules |
|
| CVE-2025-14082 |
unknown |
— |
— |
6mo ago |
Keycloak Admin REST (Representational State Transfer) API does not properly enforce permissions |
|
| CVE-2025-11429 |
unknown |
— |
— |
7mo ago |
Keycloak does not invalidate sessions when "Remember Me" is disabled |
|
| CVE-2025-12110 |
unknown |
— |
— |
7mo ago |
Keycloak does not invalidate offline sessions when the offline_access scope is removed |
|
| CVE-2025-3910 |
unknown |
— |
— |
1y ago |
Keycloak vulnerable to two factor authentication bypass |
|
| CVE-2024-7341 |
unknown |
— |
— |
2y ago |
Keycloak has session fixation in Elytron SAML adapters |
|
| CVE-2021-3754 |
unknown |
— |
— |
2y ago |
Keycloak's improper input validation allows using email as username |
|
| CVE-2024-3656 |
unknown |
— |
— |
2y ago |
Keycloak's admin API allows low privilege users to use administrative functions |
|
| CVE-2024-4540 |
unknown |
— |
— |
2y ago |
Keycloak exposes sensitive information in Pushed Authorization Requests (PAR) |
|
| CVE-2023-0657 |
unknown |
— |
— |
2y ago |
Keycloak vulnerable to impersonation via logout token exchange |
|
| CVE-2024-1132 |
unknown |
— |
— |
2y ago |
Keycloak path traversal vulnerability in redirection validation |
|
| CVE-2023-6544 |
unknown |
— |
— |
2y ago |
Keycloak Authorization Bypass vulnerability |
|
| CVE-2023-6717 |
unknown |
— |
— |
2y ago |
Keycloak Cross-site Scripting (XSS) via assertion consumer service URL in SAML POST-binding flow |
|
| CVE-2023-3597 |
unknown |
— |
— |
2y ago |
Keycloak secondary factor bypass in step-up authentication |
|
| CVE-2022-2232 |
unknown |
— |
— |
3y ago |
Keycloak vulnerable to LDAP Injection on UsernameForm Login |
|
| CVE-2023-2422 |
unknown |
— |
— |
3y ago |
Keycloak vulnerable to Improper Client Certificate Validation for OAuth/OpenID clients |
|
| CVE-2022-4361 |
unknown |
— |
— |
3y ago |
Keycloak vulnerable to cross-site scripting when validating URI-schemes on SAML and OIDC |
|
| CVE-2014-3652 |
unknown |
— |
— |
4y ago |
JBoss KeyCloak Open Redirect |
|
| CVE-2022-1245 |
unknown |
— |
— |
4y ago |
Keycloak vulnerable to privilege escalation on Token Exchange feature |
|
| CVE-2020-10776 |
unknown |
— |
— |
4y ago |
Cross-site Scripting in keycloak |
|
| CVE-2021-4133 |
unknown |
— |
— |
4y ago |
Improper Authorization in Keycloak |
|