18 matches found
CVE-2026-14209 Keycloak-admin-ui: keycloak-admin-ui: keycloak: admin ui extension brute-force-user endpoint bypasses fgapv2 user view restrictions
A vulnerability was discovered in Keycloak's Admin UI extension that allows certain administrative users to bypass security restrictions. When Fine-Grained Admin Permissions FGAPv2 are enabled, an administrator who should only be able to search for users but not view their full details can use a...
EUVD-2026-40299
A vulnerability was discovered in Keycloak's Admin UI extension that allows certain administrative users to bypass security restrictions. When Fine-Grained Admin Permissions FGAPv2 are enabled, an administrator who should only be able to search for users but not view their full details can use a...
be.jidoka:jdk-keycloak-admin (=2.5.0), br.com.consultdg:database-module (>=1.0.1 <=1.0.10) +1147 more potentially affected by CVE-2026-22746 via org.springframework.security:spring-security-core (>=6.4.0 <=6.4.13)
org.springframework.security:spring-security-core MAVEN version =6.4.0, =1.0.1, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =3.4.0.0, =4.11.3, =4.11.3, =4.11.3, =4.11.3, =4.11.5 and more Source cves: CVE-2026-22746 Source advisory: OSV:GHSA-VXF7-QJ7Q-83FH...
keycloak-server: Keycloak: Improper Access Control in Admin REST API leads to information disclosure
A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control...
@backingman/keycloak (=0.0.0-alpha), @backstage-community/plugin-catalog-backend-module-keycloak (>=3.1.1 <=3.17.2) +86 more potentially affected by CVE-2026-2366 via @keycloak/keycloak-admin-client (>=15.1.0 <=26.5.5)
@keycloak/keycloak-admin-client NPM version =15.1.0, =3.1.1, =0.1.1, =0.1.1, =0.1.1, =0.1.0, =1.0.0, =1.0.0, =1.0.0, =2.0.2 and more Source cves: CVE-2026-2366 Source advisory: OSV:GHSA-R8JR-WG88-FQ5C...
CVE-2025-13881
A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings...
CVE-2025-13881 Org.keycloak.services.resources.admin: keycloak: limited administrator can retrieve sensitive user attributes via admin api
A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings...
PT-2026-5499
Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in the Keycloak Admin API that allows an administrator with limited privileges to retrieve sensitive custom attributes. This is achieved through the /unmanagedAttributes API...
GHSA-594W-2FWP-JWRC Keycloak Admin REST API exposes backend schema and rules
A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control...
CVE-2025-14083
A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control...
CVE-2025-14082
A flaw was found in Keycloak Admin REST Representational State Transfer API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/realm/roles endpoint...
CVE-2025-10939 Org.keycloak/keycloak-quarkus-server: unable to restrict access to the admin console
A flaw was found in Keycloak. The Keycloak guides recommend to not expose /admin path to the outside in case the installation is using a proxy. The issue occurs at least via ha-proxy, as it can be tricked to using relative/non-normalized paths to access the /admin application path relative to...
com.github.wnameless.spring.boot.up:spring-boot-up-embedded-keycloak (=24.3.0.0), com.github.wnameless.spring.boot.up:spring-boot-up-keycloak-plugin (=24.3.0.0) +29 more potentially affected by CVE-2025-10044 via org.keycloak:keycloak-admin-ui (>=1.0-alpha-1-12062013 <=26.2.5)
org.keycloak:keycloak-admin-ui MAVEN version =1.0-alpha-1-12062013, =2.5.6-24.0, =0.1.0, =26.1.0, =26.1.0, =26.1.0, =26.1.0, =26.1.0, =26.1.0, =26.1.0, =26.2.0, =26.2.0, =26.1.0, =26.1.0, =26.2.5 and m...
be.jidoka:jdk-keycloak-admin (=2.0.0), br.com.devires.framework.boot:devires-framework-boot-audit (=1.1.0) +1079 more potentially affected by CVE-2025-22228 via org.springframework.security:spring-security-crypto (>=6.0.0 <=6.0.1)
org.springframework.security:spring-security-crypto MAVEN version =6.0.0, =1.1.0, =1.1.0, =0.12.0, =0.12.0, =0.12.0, =0.13.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.1.0, =3.0.2.3 and more Source cves: CVE-2025-22228 Source advisory:...
be.jidoka:jdk-keycloak-admin (>=2.0.0 <=2.4.0), ch.iterial.keycloak.plugins:keycloak-directus-plugin (>=0.1.0 <=0.7.0) +679 more potentially affected by CVE-2024-10039 via org.keycloak:keycloak-core (>=1.0-alpha-1 <=26.0.5)
org.keycloak:keycloak-core MAVEN version =1.0-alpha-1, =2.0.0, =0.1.0, =0.0.1, =1.5.1, =1.5.1, =1.6.2, =1.6.2, =1.5.2, =1.5.2, =1.7.2, =1.7.2, =1.0.22, =1.0.22, =1.4.3, =1.4.3, =1.6.5 and more Source cves: CVE-2024-10039 Source advisory: OSV:GHSA-93WW-43RR-79V3...
be.jidoka:jdk-keycloak-admin (>=2.0.0 <=2.2.0), cn.sparrowmini:sparrow-keycloak-adapter (>=0.0.1 <=0.0.2) +474 more potentially affected by CVE-2023-0105 via org.keycloak:keycloak-core (>=1.0-alpha-1 <=22.0.0)
org.keycloak:keycloak-core MAVEN version =1.0-alpha-1, =2.0.0, =0.0.1, =1.5.1, =1.5.1, =1.6.2, =1.6.2, =1.5.2, =1.5.2, =1.7.2, =1.7.2, =1.0.22, =1.0.22, =1.4.3, =1.4.3, =1.2.9, =1.5.0 and more Source cves: CVE-2023-0105 Source advisory: OSV:GHSA-C7XW-P58W-H6FJ...
CVE-2022-2256
A Stored Cross-site scripting XSS vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality...
africa.absa:inception-api (>=1.0.0 <=1.2.0), africa.absa:inception-codes-api (>=1.0.0 <=1.2.0) +1533 more potentially affected by CVE-2022-22978 via org.springframework.security:spring-security-core (>=5.5.0 <=5.5.6)
org.springframework.security:spring-security-core MAVEN version =5.5.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.0.0, =1.13.0, =1.13.0, =2.2.0 - be.jidoka:jdk-keycloak-admin =1.2.0 and more Source cves: CVE-2022-22978 Source advisory:...