4149 matches found
OpenRemote 访问控制错误漏洞
OpenRemote is an open-source IoT platform developed by OpenRemote. Versions of OpenRemote prior to 1.22.1 contained a access control vulnerability. This vulnerability stemmed from the possibility for users with the write:admin permission to call the Manager API and update user Keycloak domain rol...
PT-2026-34453
Name of the Vulnerable Software and Affected Versions OpenRemote versions prior to 1.22.1 Description A user possessing the write:admin role in one Keycloak realm can utilize the Manager API to update Keycloak realm roles for users in a different realm, including the master realm. The issue exist...
CLEANSTART-2026-AD31975 Security fixes for ghsa-72hv-8253-57qq, ghsa-pwqr-wmgm-9rr8, ghsa-w9fj-cfpg-grvv applied in versions: 26.5.6-r3
Multiple security vulnerabilities affect the keycloak package. These issues are resolved in later releases. See references for individual vulnerability details...
GHSA-5W6H-PJW6-WVC6 apache-airflow-providers-keycloak: Missing OAuth 2.0 State and PKCE Enables Login CSRF and Session Fixation
The Keycloak authentication manager in apache-airflow-providers-keycloak did not generate or validate the OAuth 2.0 state parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's...
apache-airflow-providers-keycloak: Missing OAuth 2.0 State and PKCE Enables Login CSRF and Session Fixation
The Keycloak authentication manager in apache-airflow-providers-keycloak did not generate or validate the OAuth 2.0 state parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's...
Cross-site Request Forgery (CSRF)
Overview apache-airflow-providers-keycloak is a Provider package apache-airflow-providers-keycloak for Apache Airflow Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF in the login authentication process due to missing generation and validation of the OAuth 2.0...
CVE-2026-40948
The Keycloak authentication manager in apache-airflow-providers-keycloak did not generate or validate the OAuth 2.0 state parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's...
CVE-2026-40948
The CVE-2026-40948 entry concerns the Keycloak authentication manager in apache-airflow-providers-keycloak. It describes missing OAuth 2.0 state validation and PKCE usage during login/login-callback, enabling a potential login-CSRF/session-fixation attack where a victim may be seduced into an att...
CVE-2026-40948 Apache Airflow Providers Keycloak: OAuth Login CSRF — Missing State Parameter in Keycloak Auth Manager
The Keycloak authentication manager in apache-airflow-providers-keycloak did not generate or validate the OAuth 2.0 state parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's...
EUVD-2026-23676
The Keycloak authentication manager in apache-airflow-providers-keycloak did not generate or validate the OAuth 2.0 state parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's...
CVE-2026-40948
The Keycloak authentication manager in apache-airflow-providers-keycloak did not generate or validate the OAuth 2.0 state parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's...
CVE-2026-40948 Apache Airflow Providers Keycloak: OAuth Login CSRF — Missing State Parameter in Keycloak Auth Manager
The Keycloak authentication manager in apache-airflow-providers-keycloak did not generate or validate the OAuth 2.0 state parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's...
PT-2026-33603
The Keycloak authentication manager in apache-airflow-providers-keycloak did not generate or validate the OAuth 2.0 state parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's...
Apache Airflow 安全漏洞
Apache Airflow is an open-source platform developed by the Apache Foundation in the United States. It allows for the creation, management, and monitoring of workflows. This platform features scalability and dynamic monitoring capabilities. However, Apache Airflow has security vulnerabilities. The...
GHSA-RX66-HJ7G-28H7 vulnerabilities
Vulnerabilities for packages: keycloak...
GHSA-RHGQ-F8X5-J2JC vulnerabilities
Vulnerabilities for packages: keycloak...
GHSA-HJ93-H7PG-FH6V vulnerabilities
Vulnerabilities for packages: keycloak...
GHSA-H4WV-G838-66G3 vulnerabilities
Vulnerabilities for packages: keycloak...
GHSA-CJM2-J6CM-6P6M vulnerabilities
Vulnerabilities for packages: keycloak...
CVE-2026-4634 vulnerabilities
Vulnerabilities for packages: keycloak...