PT-2026-32643

A flaw was found in Keycloak, specifically in the organization selection login page. A remote attacker with manage-realm or manage-organizations administrative privileges can exploit a Stored Cross-Site Scripting XSS vulnerability. This flaw occurs because the organization.alias is placed into an...

Improper Certificate Validation

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Certificate Validation via packed self-attestation in WebAuthn registration. An attacker can bypass...

CVE-2025-10044 vulnerabilities

Vulnerabilities for packages: keycloak-fips, keycloak...

CVE-2025-12110 vulnerabilities

Vulnerabilities for packages: keycloak-fips, keycloak...

CVE-2025-7365 vulnerabilities

Vulnerabilities for packages: keycloak-fips, keycloak...

GHSA-27GC-WJ6X-9W55 vulnerabilities

Vulnerabilities for packages: keycloak-fips, keycloak...

CVE-2025-8419 vulnerabilities

Vulnerabilities for packages: keycloak-fips, keycloak...

GHSA-M4J5-5X4R-2XP9 vulnerabilities

Vulnerabilities for packages: keycloak-fips, keycloak...

CVE-2025-11538 vulnerabilities

Vulnerabilities for packages: keycloak-fips, keycloak...

GHSA-7M9G-PMXF-M9M8 vulnerabilities

Vulnerabilities for packages: keycloak-fips, keycloak...

CVE-2025-7784 vulnerabilities

Vulnerabilities for packages: keycloak-fips, keycloak...

GHSA-XHPR-465J-7P9Q vulnerabilities

Vulnerabilities for packages: keycloak-fips, keycloak...

GHSA-895X-RFQP-JH5C vulnerabilities

Vulnerabilities for packages: keycloak-fips, keycloak...

GHSA-27GP-8389-HM4W vulnerabilities

Vulnerabilities for packages: keycloak-fips, keycloak...

Keycloak < 26.4.11 Multiple Vulnerabilities

Keycloak versions installed prior to 26.4.11 are affected by multiple vulnerabilities: - A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an...

CVE-2025-11537 vulnerabilities

Vulnerabilities for packages: keycloak...

GHSA-GV3V-2CPP-3PMQ vulnerabilities

Vulnerabilities for packages: keycloak...

CVE-2025-11537 vulnerabilities

Vulnerabilities for packages: keycloak, keycloak-fips...

GHSA-GV3V-2CPP-3PMQ vulnerabilities

Vulnerabilities for packages: keycloak, keycloak-fips...

EUVD-2026-19201

A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing CORS header injection vulnerability in Keycloak's User-Managed Access UMA token endpoint. This flaw occurs because the azp claim from a client-supplied JSON Web Token JWT is used to set the...