Moderate: Red Hat Security Advisory: Red Hat build of Keycloak 26.6.3 Update

New Red Hat build of Keycloak 26.6.3 packages are available from the Customer Portal Red Hat build of Keycloak 26.6.3 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. Security fixes...

org.keycloak/keycloak-services: keycloak: org.keycloak.protocol.oidc: Security flaw in org.keycloak/keycloak-services

A flaw was found in Keycloak. When both realm-level and client-level notBefore revocation policies are configured, Keycloak's OpenID Connect OIDC Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially...

keycloak: Keycloak: Information disclosure due to user profile permission bypass

A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied,...

keycloak-rhel9: Organization Data Leak After Feature Disabled in Keycloak

A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect OIDC token with the 'organization' scope. This allows organization metadata to be disclosed in...

keycloak: Keycloak: Denial of Service via malformed LDAP password policy response

A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol LDAP server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password...

keycloak: Keycloak: Unauthorized account access via replayed refresh tokens after cluster restart

A flaw was found in Keycloak. When revokeRefreshToken=true is enabled and persistent session storage is in use, a server restart can reset internal timing mechanisms. This allows a remote attacker, who has previously captured a user's refresh token, to replay that token even after it has been...

keycloak: Keycloak: Denial of Service via malformed Authorization header

A flaw was found in Keycloak's ClientRegistrationAuth component. A remote unauthenticated attacker can exploit this vulnerability by sending a specially crafted POST request with a malformed 'Authorization: Bearer' header to any client registration endpoint. This can lead to an...

keycloak: org.keycloak.protocol.oidc.grants.ciba: Keycloak: Information disclosure via CORS header injection due to unvalidated JWT azp claim

A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing CORS header injection vulnerability in Keycloak's User-Managed Access UMA token endpoint. This flaw occurs because the azp claim from a client-supplied JSON Web Token JWT is used to set the...

keycloak: Keycloak: Information disclosure via SAML ECP endpoint

A flaw was found in Keycloak. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted SOAP requests to the SAML ECP Security Assertion Markup Language Enhanced Client or Proxy endpoint with varying client IDs. By observing distinct faultstrings in the...

keycloak: Keycloak: Security restriction bypass allows unauthorized ROPC token acquisition

A flaw was found in Keycloak's Client Policies, specifically within the org.keycloak.protocol.oidc component. When certain condition providers client-type, client-roles, client-attributes, client-scopes are used to enforce security restrictions, the reject-ropc-grant executor is silently bypassed...

org.keycloak.keycloak-services: Improper Access Control on Keycloak Server when the account Account API feature is disabled

When Keycloak is started with --features-disabled=account,account-api, the Account REST API is only partially disabled. Five endpoints under the versioned path /account/v1alpha1 remain fully functional — including both read and write operations — because they lack the checkAccountApiEnabled gate...

org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: Keycloak: Server-Side Request Forgery via OIDC token endpoint manipulation

A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery SSRF by manipulating the clientsessionhost parameter during refresh token requests. This occurs when a Keycloak client is configured to use the backchannel.logout.url with the application.session.host...

Moderate: Red Hat Security Advisory: Red Hat build of Keycloak 26.6.3 Images Update

New images are available for Red Hat build of Keycloak 26.6.3 and Red Hat build of Keycloak 26.6.3 Operator, running on OpenShift Container Platform Red Hat build of Keycloak is an integrated sign-on solution, available as a Red Hat JBoss Middleware for OpenShift containerized image. The Red Hat...

Denial Of Service

Keycloak is vulnerable to Denial of Service DoS. The vulnerability is due to improper handling of LDAP password policy responses, where a malformed response from a configured LDAP server can trigger an OutOfMemoryError during password authentication processing, causing the Keycloak JVM to termina...

CVE-2026-44249 vulnerabilities

Vulnerabilities for packages: spark-fips, s3proxy-fips, knative-kafka-broker-fips, neo4j, apache-camel-karavan-devmode, apache-hop-fips, cassandra-reaper, nuxeo, zipkin, camunda-zeebe, apache-nifi, management-api-for-apache-cassandra-4.0, opensearch, knative-kafka-broker, camunda, apache-pulsar,...

GHSA-3QP7-7MW8-WX86 vulnerabilities

Vulnerabilities for packages: spark-fips, s3proxy-fips, knative-kafka-broker-fips, neo4j, apache-camel-karavan-devmode, apache-hop-fips, cassandra-reaper, nuxeo, zipkin, camunda-zeebe, apache-nifi, management-api-for-apache-cassandra-4.0, opensearch, knative-kafka-broker, camunda, apache-pulsar,...

GHSA-X4GW-5CX5-PGMH vulnerabilities

Vulnerabilities for packages: spark-fips, s3proxy-fips, knative-kafka-broker-fips, neo4j, apache-camel-karavan-devmode, apache-hop-fips, cassandra-reaper, nuxeo, zipkin, camunda-zeebe, apache-nifi, management-api-for-apache-cassandra-4.0, opensearch, knative-kafka-broker, camunda, apache-pulsar,...

CVE-2026-45416 vulnerabilities

Vulnerabilities for packages: spark-fips, s3proxy-fips, knative-kafka-broker-fips, neo4j, apache-camel-karavan-devmode, apache-hop-fips, cassandra-reaper, nuxeo, zipkin, camunda-zeebe, apache-nifi, management-api-for-apache-cassandra-4.0, opensearch, knative-kafka-broker, camunda, apache-pulsar,...

Security Bulletin: IBM Datapower Operations Dashboard is vulnerable to Authentication Bypass by Alternate Name CVE-2025-14777

Summary keycloak is used by the IBM Datapower Operations Dashboard as part of their IAM and SSO implementation Vulnerability Details CVEID:CVE-2025-14777 DESCRIPTION: A flaw was found in Keycloak. An IDOR Broken Access Control vulnerability exists in the admin API endpoints for authorization...

Security Bulletin: IBM Datapower Operations Dashboard is vulnerable to Incorrect Behavior Order CVE-2026-0707

Summary keycloak is used by the IBM Datapower Operations Dashboard as part of their IAM and SSO implementation Vulnerability Details CVEID:CVE-2026-0707 DESCRIPTION: A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer...