4149 matches found
EUVD-2026-5130
A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services...
CVE-2026-1518
A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services...
CVE-2026-1518
Keycloak SSRF issue (CVE-2026-1518) affects the CIBA backchannel notification flow. The vulnerability arises from insufficient validation of the client-configured backchannel_notification_endpoint, enabling a privileged user to trigger blind server-side requests to internal services. Documented i...
ch.iterial.keycloak.plugins:keycloak-directus-plugin (>=0.1.0 <=0.7.0), com.charlyghislain.keycloak:keycloak-importexport (>=21.0.0 <=23.0.1) +149 more potentially affected by CVE-2025-13881 via org.keycloak:keycloak-services (>=1.0-alpha-1 <=26.4.7)
org.keycloak:keycloak-services MAVEN version =1.0-alpha-1, =0.1.0, =21.0.0, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.0.1, =1.1.7 and more Source cves: CVE-2025-13881 Source advisory: OSV:GHSA-G78X-7VWX-9F58...
GHSA-G78X-7VWX-9F58 Keycloak Admin API allows an administrator with limited privileges to retrieve sensitive custom attributes
A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings...
Keycloak Admin API allows an administrator with limited privileges to retrieve sensitive custom attributes
A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings...
CVE-2025-13881
A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings...
CVE-2025-13881 Org.keycloak.services.resources.admin: keycloak: limited administrator can retrieve sensitive user attributes via admin api
A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings...
EUVD-2025-206603
A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings...
CVE-2025-13881 Org.keycloak.services.resources.admin: keycloak: limited administrator can retrieve sensitive user attributes via admin api
A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings...
CVE-2025-13881
A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings...
Keycloak 代码问题漏洞
Keycloak is an open-source identity and access management solution developed by Keycloak itself. Keycloak has code-related vulnerabilities; these vulnerabilities stem from insufficient backend notification endpoint validation by the CIBA function regarding client configurations. This may lead to...
PT-2026-5623
A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services...
Keycloak < 26.4.4 Debug Mode JDWP Port Exposure (CVE-2025-11538)
The version of Keycloak installed on the remote host is prior to 26.4.4. It is, therefore, affected by a Port Exposure vulnerability: - A vulnerability exists in Keycloak's server distribution where enabling debug mode --debug insecurely defaults to binding the Java Debug Wire Protocol JDWP port ...
Keycloak x < 26.4.9 / 26.5.x < 26.5.2 Token Exchange Vulnerability
The version of Keycloak installed on the remote host is prior to 26.4.9 / 26.5.2 / 26.6.0. It is, therefore, affected by the following Token Exchange vulnerability: - A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh toke...
CLEANSTART-2026-SG80587 It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session
Multiple security vulnerabilities affect the keycloak package. It was found that the cookie used for CSRF prevention in Keycloak was not unique to each session. See references for individual vulnerability details...
PT-2026-5499
Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in the Keycloak Admin API that allows an administrator with limited privileges to retrieve sensitive custom attributes. This is achieved through the /unmanagedAttributes API...
GHSA-WV3H-X6C4-R867 vulnerabilities
Vulnerabilities for packages: keycloak...
CVE-2025-14559 vulnerabilities
Vulnerabilities for packages: keycloak...
CVE-2025-66021 vulnerabilities
Vulnerabilities for packages: keycloak...