keycloak · threatengine.sh

CVE-2026-3047

all versions

A flaw was found in org.keycloak.broker.saml. When a disabled Security Assertion Markup Language (SAML) client is configured as an

8.8HIGH

CVE-2025-12150

all versions

A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured a

3.1LOW

CVE-2026-0871

< 26.4.0

A flaw was found in Keycloak. An administrator with manage-users permission can bypass the "Only administrators can view" settin

4.9MEDIUM

CVE-2025-8419

all versions

A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and

5.3MEDIUM

CVE-2025-7365

all versions

A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an id

7.1HIGH

CVE-2025-5416

all versions

A vulnerability has been identified in Keycloak that could lead to unauthorized information disclosure. While it requires an alrea

2.7LOW

CVE-2023-6841

all versions

A denial of service vulnerability was found in keycloak where the amount of attributes per object is not limited,an attacker by se

7.5HIGH

CVE-2024-7341

<= 25.0.2

A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not ch

7.1HIGH

CVE-2024-7260

< 24.0.7

An open redirect vulnerability was found in Keycloak. A specially crafted URL can be constructed where the referrer and referrer_u

6.1MEDIUM

CVE-2024-4629

< 24.0.3

A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of log

6.5MEDIUM

CVE-2023-6787

< 22.0.10

A flaw was found in Keycloak that occurs from an error in the re-authentication mechanism within org.keycloak.authentication. This

6.5MEDIUM

CVE-2024-1132

>= 21.1.0 and < 22.0.10

A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. This issue could allow an attacker

8.1HIGH

CVE-2024-1722

all versions

A flaw was found in Keycloak. In certain conditions, this issue may allow a remote unauthenticated attacker to block other account

3.7LOW

CVE-2023-6291

< 22.0.7

A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed h

7.1HIGH

CVE-2023-6927

all versions

A flaw was found in Keycloak. This issue may allow an attacker to steal authorization codes or tokens from clients using a wildcar

4.6MEDIUM

CVE-2023-48795

all versions

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attacker

5.9MEDIUM

CVE-2023-6134

< 22.0.7

A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token.

4.6MEDIUM

CVE-2023-6563

< 21.0.0

An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have milli

7.7HIGH

CVE-2023-2422

all versions

A flaw was found in Keycloak. A Keycloak server configured to support mTLS authentication for OAuth/OpenID clients does not proper

5.5MEDIUM

CVE-2022-4137

all versions

A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. Th

8.1HIGH

CVE-2022-3916

< 20.0.2

A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if co

6.8MEDIUM

CVE-2022-1438

all versions

A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting i

6.4MEDIUM

CVE-2023-4918

all versions

A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registr

8.8HIGH

CVE-2023-0264

< 18.0.6

A flaw was found in Keycloaks OpenID Connect user authentication, which may incorrectly authenticate requests. An authenticated at

5.0MEDIUM

CVE-2022-4361

< 21.1.2

Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the SAML or OI

10.0CRITICAL

CVE-2023-1664

all versions

A flaw was found in Keycloak. This flaw depends on a non-default configuration "Revalidate Client Certificate" to be enabled and t

6.5MEDIUM

CVE-2022-1274

< 20.0.5

A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails se

5.4MEDIUM

CVE-2023-0105

all versions

A flaw was found in Keycloak. This flaw allows impersonation and lockout due to the email trust not being handled correctly in Key

6.5MEDIUM

CVE-2023-0091

all versions

A flaw was found in Keycloak, where it did not properly check client tokens for possible revocation in its client credential flow.

3.8LOW

CVE-2022-3782

all versions

keycloak: path traversal via double URL encoding. A flaw was found in Keycloak, where it does not properly validate URLs included

9.1CRITICAL

CVE-2022-0225

all versions

A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating

5.4MEDIUM

CVE-2021-3856

< 15.1.0

ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By

4.3MEDIUM

CVE-2021-3754

all versions

A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing

5.3MEDIUM

CVE-2021-3632

< 15.1.0

A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device

7.5HIGH

CVE-2021-3827

< 18.0.0

A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting t

6.8MEDIUM

CVE-2020-35509

all versions

A flaw was found in keycloak affecting versions 11.0.3 and 12.0.0. An expired certificate would be accepted by the direct-grant au

5.4MEDIUM

CVE-2021-3513

< 13.0.0

A flaw was found in keycloak where a brute force attack is possible even when the permanent lockout feature is enabled. This is du

7.5HIGH

CVE-2022-2668

all versions

An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOA

7.2HIGH

CVE-2022-1245

< 18.0.0

A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows a client application

9.8CRITICAL

CVE-2022-1466

< 17.0.1

Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to

6.5MEDIUM

CVE-2021-3461

all versions

A flaw was found in keycloak where keycloak may fail to logout user session if the logout request comes from external SAML identit

7.1HIGH

CVE-2021-20323

< 17.0.0

A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak.

6.1MEDIUM

CVE-2021-4133

>= 12.0.0 and < 15.1.1

A flaw was found in Keycloak in versions from 12.0.0 and before 15.1.1 which allows an attacker with any existing user account to

8.8HIGH

CVE-2021-3637

< 14.0.0

A flaw was found in keycloak-model-infinispan in keycloak versions before 14.0.0 where authenticationSessions map in RootAuthentic

7.5HIGH

CVE-2021-20195

< 12.0.3

A flaw was found in keycloak in versions before 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover

9.6CRITICAL

CVE-2020-27826

< 12.0.0

A flaw was found in Keycloak before version 12.0.0 where it is possible to update the user's metadata attributes using Account RES

4.2MEDIUM

CVE-2021-20202

< 13.0.0

A flaw was found in keycloak. Directories can be created prior to the Java process creating them in the temporary directory, but w

7.3HIGH

CVE-2021-20222

>= 9.0.0 and < 13.0.0

A flaw was found in keycloak. The new account console in keycloak can allow malicious code to be executed using the referrer URL.

7.5HIGH

CVE-2021-20262

all versions

A flaw was found in Keycloak 12.0.0 where re-authentication does not occur while updating the password. This flaw allows an attack

6.8MEDIUM

CVE-2020-27838

< 13.0.0

A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLI

6.5MEDIUM

CVE-2020-1717

all versions

A flaw was found in Keycloak 7.0.1. A logged in user can do an account email enumeration attack.

2.7LOW

CVE-2020-10734

all versions

A vulnerability was found in keycloak in the way that the OIDC logout endpoint does not have CSRF protection. Versions shipped wit

3.3LOW

CVE-2020-1725

< 13.0.0

A flaw was found in keycloak before version 13.0.0. In some scenarios a user still has access to a resource after changing the rol

5.4MEDIUM

CVE-2020-14302

< 13.0.0

A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Ke

4.9MEDIUM

CVE-2020-10770

< 12.0.2

A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC

5.3MEDIUM

CVE-2020-14389

< 12.0.0

It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the ne

8.1HIGH

CVE-2020-10776

< 12.0.0

A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. Thi

4.8MEDIUM

CVE-2020-14366

< 12.0.0

A vulnerability was found in keycloak, where path traversal using URL-encoded path segments in the request is possible because the

6.8MEDIUM

CVE-2020-1694

< 10.0.0

A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. Th

4.9MEDIUM

CVE-2020-10748

all versions

A flaw was found in Keycloak's data filter, in version 10.0.1, where it allowed the processing of data URLs in some circumstances.

6.1MEDIUM

CVE-2020-10758

< 11.0.1

A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the

7.5HIGH

CVE-2020-1727

< 9.0.2

A vulnerability was found in Keycloak before 9.0.2, where every Authorization URL that points to an IDP server lacks proper input

6.4MEDIUM

CVE-2020-1758

< 10.0.0

A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emai

5.3MEDIUM

CVE-2020-1714

< 11.0.0

A flaw was found in Keycloak before version 11.0.0, where the code base contains usages of ObjectInputStream without type checks.

8.8HIGH

CVE-2020-1718

< 8.0.0

A flaw was found in the reset credential flow in all Keycloak versions before 8.0.0. This flaw allows an attacker to gain unauthor

7.1HIGH

CVE-2020-1724

< 9.0.2

A flaw was found in Keycloak in versions before 9.0.2. This flaw allows a malicious user that is currently logged in, to see the p

4.3MEDIUM

CVE-2020-1698

< 9.0.0

A flaw was found in keycloak in versions before 9.0.0. A logged exception in the HttpMethod class may leak the password given as p

5.0MEDIUM

CVE-2019-10170

< 8.0.0

A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. Th

6.6MEDIUM

CVE-2019-10169

< 8.0.0

A flaw was found in Keycloak’s user-managed access interface, where it would permit a script to be set in the UMA policy. This f

6.6MEDIUM

CVE-2020-10686

all versions

A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as

4.1MEDIUM

CVE-2020-1728

< 10.0.0

A vulnerability was found in all versions of Keycloak where, the pages on the Admin Console area of the application are completely

4.8MEDIUM

CVE-2020-1744

< 9.0.1

A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of

5.6MEDIUM

CVE-2020-1697

< 9.0.0

It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console ar

6.1MEDIUM

CVE-2019-14820

< 8.0.0

It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, whi

4.3MEDIUM

CVE-2019-14837

< 8.0.0

A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and

9.1CRITICAL

CVE-2014-3652

all versions

JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL.

6.1MEDIUM

CVE-2019-14910

all versions

A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of S

9.8CRITICAL

CVE-2019-14909

all versions

A vulnerability was found in Keycloak 7.x where the user federation LDAP bind type is none (LDAP anonymous bind), any password, in

8.3HIGH

CVE-2014-3655

<= 1.0.1

JBoss KeyCloak is vulnerable to soft token deletion via CSRF

4.3MEDIUM

CVE-2019-14832

< 7.0.1

A flaw was found in the Keycloak REST API before version 8.0.0 where it would permit user access from a realm the user was not con

7.5HIGH

CVE-2019-10201

<= 6.0.1

It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies

8.1HIGH

CVE-2019-10199

<= 6.0.1

It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. An attacker co

8.8HIGH

CVE-2019-3875

< 6.0.2

A vulnerability was found in keycloak before 6.0.2. The X.509 authenticator supports the verification of client certificates throu

6.5MEDIUM

CVE-2019-10157

< 4.8.3

It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server i

4.7MEDIUM

CVE-2019-3868

<= 6.0.0

Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessi

3.8LOW

CVE-2018-14637

< 4.6.0

The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. An atta

6.1MEDIUM

CVE-2018-14658

all versions

A flaw was found in JBOSS Keycloak 3.2.1.Final. The Redirect URL for both Login and Logout are not normalized in org.keycloak.prot

6.1MEDIUM

CVE-2018-14657

all versions

A flaw was found in Keycloak 4.2.1.Final, 4.3.0.Final. When TOPT enabled, an improper implementation of the Brute Force detection

8.1HIGH

CVE-2018-14655

all versions

A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using 'response_mode=form_post' it is possible to inject

4.6MEDIUM

CVE-2018-10894

all versions

It was found that SAML authentication in Keycloak 3.4.3.Final incorrectly authenticated expired certificates. A malicious user cou

5.4MEDIUM

CVE-2016-8609

< 2.3.0

It was found that the keycloak before 2.3.0 did not implement authentication flow correctly. An attacker could use this flaw to co

3.7LOW

CVE-2017-2646

< 2.5.5

It was found that when Keycloak before 2.5.5 receives a Logout request with a Extensions in the middle of the request, the SAMLSlo

7.5HIGH

CVE-2017-2582

< 2.5.1

It was found that while parsing the SAML messages the StaxParserUtil class of keycloak before 2.5.1 replaces special strings for o

6.5MEDIUM

CVE-2018-10912

< 4.0.0

keycloak before version 4.0.0.final is vulnerable to a infinite loop in session replacement. A Keycloak cluster with multiple node

4.9MEDIUM

CVE-2016-8627

all versions

admin-cli before versions 3.0.0.alpha25, 2.2.1.cr2 is vulnerable to an EAP feature to download server log files that allows logs t

4.3MEDIUM

CVE-2017-2585

< 2.5.1

Red Hat Keycloak before version 2.5.1 has an implementation of HMAC verification for JWS tokens that uses a method that runs in no

5.9MEDIUM

CVE-2016-8629

< 2.4.0

Red Hat Keycloak before version 2.4.0 did not correctly check permissions when handling service account user deletion requests sen

6.5MEDIUM

CVE-2017-12161

< 3.4.2

It was found that keycloak before 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password r

8.8HIGH

CVE-2014-3651

< 1.0.3

JBoss KeyCloak before 1.0.3.Final allows remote attackers to cause a denial of service (resource consumption) via a large value in

7.5HIGH

CVE-2017-12160

all versions

It was found that Keycloak oauth would permit an authenticated resource to obtain an access/refresh token pair from the authentica

7.2HIGH

CVE-2017-12159

all versions

It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. An attacker could use this flaw

7.5HIGH

CVE-2017-12158

all versions

It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An

5.4MEDIUM

CVE-2014-3709

<= 1.0.2.final

The org.keycloak.services.resources.SocialResource.callback method in JBoss KeyCloak before 1.0.3.Final allows remote attackers to

8.8HIGH

CVE-2017-7474

all versions

It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw

9.8CRITICAL

redhat keycloak