Malicious code in @bcs-adapters/keycloak-api-adapter (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 1f764a24270c6884e2f07d786ae252002ce64b35efb380b1dbce85e6af90a8e6 The package @bcs-adapters/keycloak-api-adapter was found to contain malicious code. Source: ghsa-malware...

Malicious Package

Overview @bcs-adapters/keycloak-api-adapter is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and...

EUVD-2026-10869

Parse Server missing audience validation in Keycloak authentication adapter...

EUVD-2026-10868

Parse Server missing audience validation in Keycloak authentication adapter...

GHSA-48MH-J4P5-7J9V Parse Server missing audience validation in Keycloak authentication adapter

Impact The Keycloak authentication adapter does not validate the azp authorized party claim of Keycloak access tokens against the configured client-id. A valid access token issued by the same Keycloak realm for a different client application can be used to authenticate as any user on the Parse...

Incorrect Authorization

Overview parse-server is a version of the Parse backend that can be deployed to any infrastructure that can run Node.js. Affected versions of this package are vulnerable to Incorrect Authorization in the Keycloak authentication adapter due to missing validation of the azp claim in access tokens...

CVE-2026-30949

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.5 and 8.6.18, the Keycloak authentication adapter does not validate the azp authorized party claim of Keycloak access tokens against the configured client-id. A valid acces...

CVE-2026-30949

CVE-2026-30949 affects Parse Server deployments using the Keycloak authentication adapter. The issue is that the azp (authorized party) claim in Keycloak access tokens is not validated against the configured client-id, enabling a valid token from one client to authenticate as any user on Parse Se...

CVE-2026-30949 Parse Server is missing audience validation in Keycloak authentication adapter

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.5 and 8.6.18, the Keycloak authentication adapter does not validate the azp authorized party claim of Keycloak access tokens against the configured client-id. A valid acces...

PT-2026-24427

Name of the Vulnerable Software and Affected Versions Parse Server versions prior to 9.5.2-alpha.5 Parse Server versions prior to 8.6.18 Description Parse Server, an open source backend deployable on Node.js infrastructures, contains a flaw in its Keycloak authentication adapter. Specifically, th...

Parse Server 授权问题漏洞

Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. Versions of Parse Server prior to 9.5.2-alpha.5 and 8.6.18 have vulnerabilities related to authorization. These vulnerabilities stem from the Keycloak authentication...

ca.bc.gov.tno:dal-db (>=0.0.8-alpha <=0.0.17-alpha), ca.bc.gov.tno:service (>=0.0.1-alpha <=0.0.6-alpha) +356 more potentially affected by CVE-2026-1180 via org.keycloak:keycloak-adapter-core (>=10.0.0 <=25.0.3)

org.keycloak:keycloak-adapter-core MAVEN version =10.0.0, =0.0.8-alpha, =0.0.1-alpha, =1.0.0, =0.0.1, =1.0.2, =1.0.2, =1.0.2, =1.3.2, =1.0.132, =1.0.132, =1.0.133, =1.0.42, =1.0.42, =1.0.42, =1.3.2, =1.8.0 and more Source cves: CVE-2026-1180 Source advisory: OSV:GHSA-7VW6-5Q2F-7W5R...

EUVD-2017-0349

Malware in sbrugna...

PT-2023-12689 · Red Hat · Keycloak Node.Js Adapter

Name of the Vulnerable Software and Affected Versions: Keycloak Node.js Adapter affected versions not specified Description: A flaw was found in the Keycloak Node.js Adapter, allowing an attacker to benefit from an Open Redirect vulnerability in the checkSso function. This issue is also present...

app.dassana:rule-engine (>=1.6.8 <=1.10.1), be.looorent:keycloak-micronaut-adapter (>=1.4.0 <=2.0.0) +574 more potentially affected by CVE-2022-21700 via io.micronaut:micronaut-http (>=1.0.0 <=3.2.6)

io.micronaut:micronaut-http MAVEN version =1.0.0, =1.6.8, =1.4.0, =1.1.0, =0.8.0, =0.9.1, =1.4.0, =2.0.8-micronaut-1.0, =1.3.7.6, =1.3.7.6, =1.7.3-micronaut-1.0, =1.6.2-micronaut-1.0, =2.0.0-micronaut-1.0, =1.7.2-micronaut-1.0, =1.3.7.6, =2.2.2-micronaut-3.0 and more Source cves:...

keycloak: adapter endpoints are exposed via arbitrary URLs

It was found that keycloak exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information...

CVE-2017-7474

It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks...

keycloak-connect: auth token validity check ignored

It was found that the Keycloak Node.js adapter did not handle invalid tokens correctly. An attacker could use this flaw to bypass authentication and gain access to restricted information, or to possibly conduct further attacks...