| CVE-2026-37980 |
unknown |
— |
— |
1mo ago |
Keycloak: Arbitrary code execution via Stored Cross-Site Scripting (XSS) in organization selection login page |
|
| CVE-2026-37977 |
unknown |
— |
— |
2mo ago |
Keycloak vulnerable to information disclosure via CORS header injection due to unvalidated JWT azp claim |
|
| CVE-2026-4636 |
unknown |
— |
— |
2mo ago |
Keycloak: UMA Policy Resource Injection Allows Unauthorized Cross-User Permission Grants |
|
| CVE-2026-4634 |
unknown |
— |
— |
2mo ago |
Keycloak: Application-Level DoS via Scope Processing |
|
| CVE-2026-4282 |
unknown |
— |
— |
2mo ago |
Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw |
|
| CVE-2026-4325 |
unknown |
— |
— |
2mo ago |
Keycloak: Replay of action tokens via improper handling of single-use entries |
|
| CVE-2026-3872 |
unknown |
— |
— |
2mo ago |
Keycloak: Redirect URI validation bypass via ..;/ path traversal in OIDC auth endpoint |
|
| CVE-2026-3190 |
unknown |
— |
— |
2mo ago |
Keycloak: Missing Role Enforcement on UMA 2.0 Permission Ticket Endpoint Leads to Information Disclosure |
|
| CVE-2026-3121 |
unknown |
— |
— |
2mo ago |
Keycloak: manage-clients permission escalates to full realm admin access |
|
| CVE-2026-4633 |
unknown |
— |
— |
2mo ago |
Keycloak's identity-first login flow exposes user information |
|
| CVE-2026-4628 |
unknown |
— |
— |
2mo ago |
Keycloak has Improper Access Control that allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false |
|
| CVE-2026-2575 |
unknown |
— |
— |
2mo ago |
Keycloak: Denial of Service due to excessive SAMLRequest decompression |
|
| CVE-2026-2092 |
unknown |
— |
— |
2mo ago |
Keycloak: Unauthorized access via improper validation of encrypted SAML assertions |
|
| CVE-2026-3429 |
unknown |
— |
— |
3mo ago |
Keycloak: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API |
|
| CVE-2026-3009 |
unknown |
— |
— |
3mo ago |
Keycloak allows authentication using an Identity Provider (IdP) even after it has been disabled by an administrator |
|
| CVE-2025-12150 |
unknown |
— |
— |
3mo ago |
Keycloak REST Services has a WebAuthn Attestation Statement Verification Bypass |
|
| CVE-2026-2733 |
unknown |
— |
— |
3mo ago |
Keycloak: Missing Check on Disabled Client for Docker Registry Protocol |
|
| CVE-2025-14778 |
unknown |
— |
— |
4mo ago |
Keycloak Affected by Broken Access Control Vulnerability in the UserManagedPermissionService |
|
| CVE-2026-1529 |
unknown |
— |
— |
4mo ago |
Keycloak affected by improper invitation token validation |
|
| CVE-2026-1486 |
unknown |
— |
— |
4mo ago |
Keycloak fails to verify if an Identity Provider (IdP) is enabled before issuing tokens |
|
| CVE-2025-13881 |
unknown |
— |
— |
4mo ago |
Keycloak Admin API allows an administrator with limited privileges to retrieve sensitive custom attributes |
|
| CVE-2026-1190 |
unknown |
— |
— |
4mo ago |
Keycloak's missing timestamp validation allows attackers to extend SAML response validity periods |
|
| CVE-2025-14083 |
unknown |
— |
— |
4mo ago |
Keycloak Admin REST API exposes backend schema and rules |
|
| CVE-2025-14559 |
unknown |
— |
— |
4mo ago |
Keycloak services allows the issuance of access and refresh tokens for disabled users |
|
| CVE-2026-1035 |
unknown |
— |
— |
4mo ago |
Keycloak does not validate and update refresh token usage atomically |
|
| CVE-2025-14082 |
unknown |
— |
— |
6mo ago |
Keycloak Admin REST (Representational State Transfer) API does not properly enforce permissions |
|
| CVE-2025-12390 |
unknown |
— |
— |
7mo ago |
Keycloak vulnerable to session takeovers due to reuse of session identifiers |
|
| CVE-2025-12110 |
unknown |
— |
— |
7mo ago |
Keycloak does not invalidate offline sessions when the offline_access scope is removed |
|
| CVE-2025-11429 |
unknown |
— |
— |
7mo ago |
Keycloak does not invalidate sessions when "Remember Me" is disabled |
|
| CVE-2025-8419 |
unknown |
— |
— |
8mo ago |
Keycloak SMTP Inject Vulnerability |
|
| CVE-2025-3910 |
unknown |
— |
— |
1y ago |
Keycloak vulnerable to two factor authentication bypass |
|
| CVE-2025-3501 |
unknown |
— |
— |
1y ago |
Keycloak hostname verification |
|
| CVE-2024-7341 |
unknown |
— |
— |
2y ago |
Keycloak has session fixation in Elytron SAML adapters |
|
| CVE-2024-8883 |
unknown |
— |
— |
2y ago |
Keycloak has Vulnerable Redirect URI Validation Results in Open Redirect |
|
| CVE-2024-4629 |
unknown |
— |
— |
2y ago |
Keycloak Services has a potential bypass of brute force protection |
|
| CVE-2024-1722 |
unknown |
— |
— |
2y ago |
Keycloak Denial of Service via account lockout |
|
| CVE-2021-3754 |
unknown |
— |
— |
2y ago |
Keycloak's improper input validation allows using email as username |
|
| CVE-2024-3656 |
unknown |
— |
— |
2y ago |
Keycloak's admin API allows low privilege users to use administrative functions |
|
| CVE-2024-4540 |
unknown |
— |
— |
2y ago |
Keycloak exposes sensitive information in Pushed Authorization Requests (PAR) |
|
| CVE-2023-0657 |
unknown |
— |
— |
2y ago |
Keycloak vulnerable to impersonation via logout token exchange |
|
| CVE-2023-6787 |
unknown |
— |
— |
2y ago |
Keycloak vulnerable to session hijacking via re-authentication |
|
| CVE-2024-1132 |
unknown |
— |
— |
2y ago |
Keycloak path traversal vulnerability in redirection validation |
|
| CVE-2024-1249 |
unknown |
— |
— |
2y ago |
Keycloak's unvalidated cross-origin messages in checkLoginIframe leads to DDoS |
|
| CVE-2023-6484 |
unknown |
— |
— |
2y ago |
Keycloak vulnerable to log Injection during WebAuthn authentication or registration |
|
| CVE-2023-6544 |
unknown |
— |
— |
2y ago |
Keycloak Authorization Bypass vulnerability |
|
| CVE-2023-6717 |
unknown |
— |
— |
2y ago |
Keycloak Cross-site Scripting (XSS) via assertion consumer service URL in SAML POST-binding flow |
|
| CVE-2023-3597 |
unknown |
— |
— |
2y ago |
Keycloak secondary factor bypass in step-up authentication |
|
| CVE-2024-2419 |
unknown |
— |
— |
2y ago |
Keycloak path traversal vulnerability in the redirect validation |
|
| CVE-2023-6291 |
unknown |
— |
— |
3y ago |
The redirect_uri validation logic allows for bypassing explicitly allowed hosts that would otherwise be restricted |
|
| CVE-2023-6134 |
unknown |
— |
— |
3y ago |
Keycloak vulnerable to reflected XSS via wildcard in OIDC redirect_uri |
|
| CVE-2022-2232 |
unknown |
— |
— |
3y ago |
Keycloak vulnerable to LDAP Injection on UsernameForm Login |
|
| CVE-2023-2422 |
unknown |
— |
— |
3y ago |
Keycloak vulnerable to Improper Client Certificate Validation for OAuth/OpenID clients |
|
| CVE-2022-4361 |
unknown |
— |
— |
3y ago |
Keycloak vulnerable to cross-site scripting when validating URI-schemes on SAML and OIDC |
|
| CVE-2023-2585 |
unknown |
— |
— |
3y ago |
Client Spoofing within the Keycloak Device Authorisation Grant |
|
| CVE-2023-0264 |
unknown |
— |
— |
3y ago |
Keycloak vulnerable to user impersonation via stolen UUID code |
|
| CVE-2022-1274 |
unknown |
— |
— |
3y ago |
HTML Injection in Keycloak Admin REST API |
|
| CVE-2022-1438 |
unknown |
— |
— |
3y ago |
Keycloak vulnerable to Cross-site Scripting |
|
| CVE-2014-3652 |
unknown |
— |
— |
4y ago |
JBoss KeyCloak Open Redirect |
|
| CVE-2018-10894 |
unknown |
— |
— |
4y ago |
Keycloak Authentication Error |
|
| CVE-2022-1245 |
unknown |
— |
— |
4y ago |
Keycloak vulnerable to privilege escalation on Token Exchange feature |
|
| CVE-2020-10776 |
unknown |
— |
— |
4y ago |
Cross-site Scripting in keycloak |
|
| CVE-2021-4133 |
unknown |
— |
— |
4y ago |
Improper Authorization in Keycloak |
|