CVE-2026-4628

A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access UMA resourceset endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control chec...

PT-2026-27067

A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access UMA resource set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control...

PT-2026-27107

Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in Keycloak that allows a remote attacker to determine the existence of users, resulting in information disclosure through user enumeration. This occurs due to differential err...

Red Hat build of Keycloak 访问控制错误漏洞

Red Hat Build of Keycloak is a single-sign-on web application developed by the American company Red Hat. There is an access control vulnerability in Red Hat Build of Keycloak. This vulnerability stems from improper access control at the endpoints of User-Managed Access resources, which may allow...

Keycloak 安全漏洞

Keycloak is an open-source identity and access management solution developed by Keycloak. Keycloak has a security vulnerability, which stems from the discrepancy in error messages during the identity-first login process when organizations are enabled. This vulnerability could lead to user...

CVE-2026-3429 vulnerabilities

Vulnerabilities for packages: keycloak...

GHSA-XH32-C9WX-PHRP vulnerabilities

Vulnerabilities for packages: keycloak...

CVE-2026-3911 vulnerabilities

Vulnerabilities for packages: keycloak...

GHSA-8G9R-9WJW-37J4 vulnerabilities

Vulnerabilities for packages: keycloak...

CVE-2026-3911 vulnerabilities

Vulnerabilities for packages: keycloak, keycloak-fips...

GHSA-8G9R-9WJW-37J4 vulnerabilities

Vulnerabilities for packages: keycloak, keycloak-fips...

GHSA-XH32-C9WX-PHRP vulnerabilities

Vulnerabilities for packages: keycloak, keycloak-fips...

CVE-2026-3429 vulnerabilities

Vulnerabilities for packages: keycloak, keycloak-fips...

Server-side Request Forgery (SSRF)

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF when processing client configuration requests. An attacker can make unintend...

com.github.wnameless.spring.boot.up:spring-boot-up-embedded-keycloak (=24.3.0.0), com.github.wnameless.spring.boot.up:spring-boot-up-keycloak-plugin (=24.3.0.0) +71 more potentially affected by CVE-2026-2575 via org.keycloak:keycloak-saml-core (>=1.2.0.CR1 <=26.5.3)

org.keycloak:keycloak-saml-core MAVEN version =1.2.0.CR1, =2.5.6-24.0, =1.0.0-25.0, =0.1.0, =2.1, =8.1, =2.1, =26.3.0, =26.1.0, =26.4.0, =26.1.0, =26.1.0, =26.1.0, =26.1.0, =26.5.3 and more Source cves: CVE-2026-2575https://vulners.com/cve/CVE-20...

ch.iterial.keycloak.plugins:keycloak-directus-plugin (>=0.1.0 <=0.7.0), com.charlyghislain.keycloak:keycloak-importexport (>=21.0.0 <=23.0.1) +159 more potentially affected by CVE-2026-2575 via org.keycloak:keycloak-services (>=1.0-alpha-1 <=26.5.3)

org.keycloak:keycloak-services MAVEN version =1.0-alpha-1, =0.1.0, =21.0.0, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.0.0, =1.2.0 and more Source cves: CVE-2026-2575 Source advisory: OSV:GHSA-XV6H-R36F-3GP5https://vulners.com/osv/OSV:GHSA-XV6H-R36F-...

org.keycloak:keycloak-saml-adapter-galleon-pack (>=21.1.0 <=26.5.3), org.keycloak:keycloak-saml-jakarta-servlet-filter-adapter (>=21.1.0 <=22.0.4) +31 more potentially affected by CVE-2026-2575 via org.keycloak:keycloak-saml-adapter-core (>=1.6.0.Final <=26.5.3)

org.keycloak:keycloak-saml-adapter-core MAVEN version =1.6.0.Final, =21.1.0, =21.1.0, =1.6.0.Final, =1.6.0.Final, =1.6.0.Final, =1.6.0.Final, =1.6.0.Final, =1.6.0.Final, =20.0.0, =20.0.0, =1.6.0.Final, =20.0.0, =1.6.0.Final, =20.0.0, =1.6.0.Final, =1.9.8.Final and more Source cves: CVE-2026-2575...

EUVD-2026-12762

A flaw was identified in Keycloak, an identity and access management solution, where it improperly follows HTTP redirects when processing certain client configuration requests. This behavior allows an attacker to trick the server into making unintended requests to internal or restricted resources...

Keycloak: Denial of Service due to excessive SAMLRequest decompression

A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service DoS by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryErro...

GHSA-XV6H-R36F-3GP5 Keycloak: Denial of Service due to excessive SAMLRequest decompression

A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service DoS by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryErro...