Incorrect Privilege Assignment

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Incorrect Privilege Assignment via the manage-clients permission assignment. An attacker can gain unauthorize...

org.apache.camel.quarkus:camel-quarkus-integration-test-keycloak (=3.31.0), org.apache.camel.quarkus:camel-quarkus-keycloak (>=3.29.0 <=3.31.0) +2 more potentially affected by CVE-2026-23552 via org.apache.camel:camel-keycloak (>=4.15.0 <=4.17.0)

org.apache.camel:camel-keycloak MAVEN version =4.15.0, =3.29.0, =3.29.0, =4.15.0, =4.17.0 Source cves: CVE-2026-23552 Source advisory: SNYK:JAVA-ORGAPACHECAMEL-15353481...

org.apache.camel.quarkus:camel-quarkus-integration-test-keycloak (=3.31.0), org.apache.camel.quarkus:camel-quarkus-keycloak (>=3.29.0 <=3.31.0) +2 more potentially affected by CVE-2026-23552 via org.apache.camel:camel-keycloak (>=4.15.0 <=4.17.0)

org.apache.camel:camel-keycloak MAVEN version =4.15.0, =3.29.0, =3.29.0, =4.15.0, =4.17.0 Source cves: CVE-2026-23552 Source advisory: OSV:GHSA-C3F3-CC42-XR9V...

Origin Validation Error

Overview Affected versions of this package are vulnerable to Origin Validation Error via the KeycloakSecurityPolicy which does not validate the iss issuer claim of JWT tokens against the configured realm. An attacker can gain unauthorized access to resources by providing a JWT token issued by a...

GHSA-C3F3-CC42-XR9V Apache Camel: KeycloakSecurityPolicy does not validate issuer of JWT tokens against configured realm

Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component. The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss issuer claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy...

CVE-2026-23552

Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component. The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss issuer claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy...

CVE-2026-23552

Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component. The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss issuer claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy...

CVE-2026-23552

Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component. The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss issuer claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy...

CVE-2026-23552 Apache Camel: Camel-Keycloak: Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy

Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component. The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss issuer claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy...

CVE-2026-23552 Apache Camel: Camel-Keycloak: Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy

Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component. The Camel-Keycloak KeycloakSecurityPolicy does not validate the iss issuer claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy...

CVE-2026-23552

Summary: CVE-2026-23552 describes an authentication bypass in Apache Camel’s Camel-Keycloak integration via the KeycloakSecurityPolicy. Affected software: Apache Camel versions 4.15.0 through 4.17.9 (per the CVE entry and related Nessus/Red Hat entries). Root cause (as stated): The KeycloakSecuri...

Apache Camel 安全漏洞

Apache Camel is an open-source integration framework based on the Enterprise Integration Pattern from the Apache Foundation in the United States. This framework provides implementations of Java objects following the Enterprise Integration Pattern and allows routing and mediation rules to be...

GHSA-FJF4-6F34-W64Q vulnerabilities

Vulnerabilities for packages: keycloak-fips...

CVE-2026-2733 vulnerabilities

Vulnerabilities for packages: keycloak-fips...

GHSA-FJF4-6F34-W64Q Keycloak: Missing Check on Disabled Client for Docker Registry Protocol

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously...

ch.iterial.keycloak.plugins:keycloak-directus-plugin (>=0.1.0 <=0.7.0), com.charlyghislain.keycloak:keycloak-importexport (>=21.0.0 <=23.0.1) +159 more potentially affected by CVE-2026-2733 via org.keycloak:keycloak-services (>=1.0-alpha-1 <=26.5.3)

org.keycloak:keycloak-services MAVEN version =1.0-alpha-1, =0.1.0, =21.0.0, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.0.0, =1.2.0 and more Source cves: CVE-2026-2733 Source advisory: OSV:GHSA-FJF4-6F34-W64Qhttps://vulners.com/osv/OSV:GHSA-FJF4-6F34-...

Keycloak: Missing Check on Disabled Client for Docker Registry Protocol

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously...

ch.iterial.keycloak.plugins:keycloak-directus-plugin (>=0.1.0 <=0.7.0), com.c4-soft.springaddons:keycloak-grants-mapper (>=3.1.13-jdk1.8 <=3.1.14-jdk17) +191 more potentially affected by CVE-2026-2733 via org.keycloak:keycloak-services (>=10.0.0 <=26.5.3)

org.keycloak:keycloak-services MAVEN version =10.0.0, =0.1.0, =3.1.13-jdk1.8, =11.0.1, =1.2.6, =1.2.5, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.4.11 - com.github.wnameless.spring.boot.up:spring-boot-up-embedded-keycloak =24.3.0.0 -...

Improper Authorization

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Authorization in the /protocol/docker-v2/auth endpoint, which does not ensure that the client is in...

CVE-2026-2733

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously...