CVE-2025-12150 Org.keycloak/keycloak-services: webauthn attestation statement verification bypass

A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require...

CVE-2025-12150 Org.keycloak/keycloak-services: webauthn attestation statement verification bypass

A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require...

CVE-2025-12150

A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require...

CVE-2026-0871 Org.keycloak/keycloak-services: keycloak: unauthorized modification of unmanaged user attributes by administrators

A flaw was found in Keycloak. An administrator with manage-users permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the syste...

CVE-2026-0871

A flaw was found in Keycloak. An administrator with manage-users permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the syste...

CVE-2026-0871 Org.keycloak/keycloak-services: keycloak: unauthorized modification of unmanaged user attributes by administrators

A flaw was found in Keycloak. An administrator with manage-users permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the syste...

CVE-2026-0871

CVE-2026-0871 concerns Keycloak where an administrator with the privileged role manage-users can bypass the system’s restriction “Only administrators can view” for unmanaged attributes, enabling edits to these attributes and resulting in unauthorized changes to user profiles. The issue is an impr...

CVE-2026-0871

A flaw was found in Keycloak. An administrator with manage-users permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the syste...

Keycloak 安全漏洞

Keycloak is an open-source identity and access management solution developed by Keycloak. Keycloak has a security vulnerability, which stems from improper access control. This vulnerability could allow administrators with the manage-users permission to bypass settings and modify unmanaged...

PT-2026-22311

A flaw was found in Keycloak. An administrator with manage-users permission can bypass the "Only administrators can view" setting for unmanaged attributes, allowing them to modify these attributes. This improper access control can lead to unauthorized changes to user profiles, even when the syste...

Keycloak 数据伪造问题漏洞

Keycloak is an open-source identity and access management solution developed by Keycloak. Keycloak has a vulnerability related to data falsification. This vulnerability stems from defects in the WebAuthn registration component, which may allow for bypassing configured proofing policies and...

PT-2026-22313

A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require...

GHSA-Q9HV-HPM4-HJ6X vulnerabilities

Vulnerabilities for packages: terragrunt, argo-events, docker-cli-buildx, crossplane-provider-azure-sql, kubevela, crossplane-provider-azure-authorization, opentofu, aactl, q, crossplane-provider-aws-cloudformation, trivy-operator, pulumi-language-dotnet, gomplate, crossplane-provider-aws-route53...

CVE-2026-1229 vulnerabilities

Vulnerabilities for packages: terragrunt, argo-events, docker-cli-buildx, crossplane-provider-azure-sql, kubevela, crossplane-provider-azure-authorization, opentofu, aactl, q, crossplane-provider-aws-cloudformation, trivy-operator, pulumi-language-dotnet, gomplate, crossplane-provider-aws-route53...

CVE-2026-1229 vulnerabilities

Vulnerabilities for packages: trivy, reports-server, datadog-agent, nuclei, cert-manager-cmctl, crossplane-provider-azure-managedidentity, terragrunt, livekit-cli, atlantis, gitlab-runner, crossplane-provider-aws-cloudwatchlogs-fips, scorecard, crossplane-provider-aws-route53-fips,...

GHSA-Q9HV-HPM4-HJ6X vulnerabilities

Vulnerabilities for packages: trivy, reports-server, datadog-agent, nuclei, cert-manager-cmctl, crossplane-provider-azure-managedidentity, terragrunt, livekit-cli, atlantis, gitlab-runner, crossplane-provider-aws-cloudwatchlogs-fips, scorecard, crossplane-provider-aws-route53-fips,...

Apache Camel 4.15.0 < 4.18.0 Authentication Bypass (CVE-2026-23552)

The version of Apache Camel on the remote host is 4.15.0 prior to 4.18.0. It is, therefore, affected by an authentication bypass vulnerability: - The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss issuer claim of JWT tokens against the configured realm. A token issued by one...

Improper Handling of Insufficient Permissions or Privileges

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Handling of Insufficient Permissions or Privileges via improper enforcement of roles in the UMA 2.0...

CVE-2026-23552

Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component. The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss issuer claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy...

ch.iterial.keycloak.plugins:keycloak-directus-plugin (>=0.1.0 <=0.7.0), com.c4-soft.springaddons:keycloak-grants-mapper (>=3.1.13-jdk1.8 <=3.1.14-jdk17) +192 more potentially affected by CVE-2026-3121 via org.keycloak:keycloak-services (>=10.0.0 <=26.5.5)

org.keycloak:keycloak-services MAVEN version =10.0.0, =0.1.0, =3.1.13-jdk1.8, =11.0.1, =1.2.6, =1.2.5, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.4.11 - com.github.wnameless.spring.boot.up:spring-boot-up-embedded-keycloak =24.3.0.0 -...