org.keycloak.keycloak-services: Improper Access Control on Keycloak Server when the account Account API feature is disabled

When Keycloak is started with --features-disabled=account,account-api, the Account REST API is only partially disabled. Five endpoints under the versioned path /account/v1alpha1 remain fully functional — including both read and write operations — because they lack the checkAccountApiEnabled gate...

Incorrect Authorization

Overview org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Incorrect Authorization via the user-facing APIs when the Organizations feature is disabled. An...

Improper Isolation or Compartmentalization

Overview Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through improper handling of single-use entries in the SingleUseObjectProvider a global key-value store. An attacker can gain unauthorized access or compromise accounts by replaying consumed...

Access Control Bypass

Overview org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Access Control Bypass due to the DefaultAttributes attribute filtering in the user profile...

EUVD-2026-3691

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. Thi...

Keycloak has debug default bind address

A vulnerability exists in Keycloak's server distribution where enabling debug mode --debug insecurely defaults to binding the Java Debug Wire Protocol JDWP port to all network interfaces 0.0.0.0. This exposes the debug port to the local network, allowing an attacker on the same network segment to...

keycloak-server: Debug default bind address

A vulnerability exists in Keycloak's server distribution where enabling debug mode --debug insecurely defaults to binding the Java Debug Wire Protocol JDWP port to all network interfaces 0.0.0.0. This exposes the debug port to the local network, allowing an attacker on the same network segment to...

CVE-2025-11538

Keycloak is affected by CVE-2025-11538 in versions prior to 26.4.4 where enabling debug mode (--debug) binds the JDWP port to all interfaces (0.0.0.0), exposing the debug port on the local network. This potentially allows a local-network attacker to attach a remote debugger and achieve remote cod...

CVE-2025-11538 Keycloak-server: debug default bind address

A vulnerability exists in Keycloak's server distribution where enabling debug mode --debug insecurely defaults to binding the Java Debug Wire Protocol JDWP port to all network interfaces 0.0.0.0. This exposes the debug port to the local network, allowing an attacker on the same network segment to...

CVE-2025-11538 Keycloak-server: debug default bind address

A vulnerability exists in Keycloak's server distribution where enabling debug mode --debug insecurely defaults to binding the Java Debug Wire Protocol JDWP port to all network interfaces 0.0.0.0. This exposes the debug port to the local network, allowing an attacker on the same network segment to...

EUVD-2024-3365

Malicious code in bioql PyPI...

GHSA-M4J5-5X4R-2XP9 Keycloak SMTP Inject Vulnerability

Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters limited local part of the email, so the attack is limited to very shorts emails subject and little data, the example is 60 chars. This...

CRLF Injection

Overview org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to CRLF Injection during the e-mail registration. An attacker can cause the system to send unsolicited...

Denial Of Service (DoS)

org.keycloak, keycloak-quarkus-server is vulnerable to Denial Of Service DoS. The vulnerability is due to insufficient input validation in the processing of security headers, allowing improperly formatted input such as newlines to disrupt server operations...

CVE-2024-11734 Org.keycloak:keycloak-quarkus-server: denial of service in keycloak server via security headers

A denial of service vulnerability was found in Keycloak that could allow an administrative user with the right to change realm settings to disrupt the service. This action is done by modifying any of the security headers and inserting newlines, which causes the Keycloak server to write to a reque...

CVE-2024-11734

CVE-2024-11734 describes a denial-of-service in Keycloak where an admin changing realm security headers could inject newlines, causing the server to write to a terminated request and fail it. The issue affects Keycloak releases prior to 26.0.8 (per Nessus/NVD references) and is related to DoS via...

org.keycloak:keycloak-quarkus-server: Unrestricted admin use of system and environment variables

A vulnerability was found in Keycloak. Admin users may have to access sensitive server environment variables and system properties through user-configurable URLs. When configuring backchannel logout URLs or admin URLs, admin users can include placeholders like $env.VARNAME or $PROPNAME. The serve...

org.keycloak:keycloak-quarkus-server: Denial of Service in Keycloak Server via Security Headers

A denial of service vulnerability was found in Keycloak that could allow an administrative user with the right to change realm settings to disrupt the service. This action is done by modifying any of the security headers and inserting newlines, which causes the Keycloak server to write to a reque...

Malicious code in keycloak-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 3df989aa26dccceca3917c9b3454427df4f54e9c104fbc080e913d30af3e66b2 The OpenSSF Package Analysis project identified 'keycloak-server' @ 0.0.2 npm as malicious. It is considered malicious because: - The package...

MAL-2024-11770 Malicious code in keycloak-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 3df989aa26dccceca3917c9b3454427df4f54e9c104fbc080e913d30af3e66b2 The OpenSSF Package Analysis project identified 'keycloak-server' @ 0.0.2 npm as malicious. It is considered malicious because: - The package...