PYSEC-2026-187

A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for FabAuthManager and KeycloakAuthManager did not actually reach the underlying revoketoken call, so the JWT remained accepted by the API server...

CVE-2026-48726

A bug in Apache Airflow's auth manager logout handling left previously-issued JWT tokens valid after the user clicked logout in the UI: the logout flow for FabAuthManager and KeycloakAuthManager did not actually reach the underlying revoketoken call, so the JWT remained accepted by the API server...

CVE-2026-40948

The Keycloak authentication manager in apache-airflow-providers-keycloak did not generate or validate the OAuth 2.0 state parameter on the login / login-callback flow, and did not use PKCE. An attacker with a Keycloak account in the same realm could deliver a crafted callback URL to a victim's...

Apache Airflow 安全漏洞

Apache Airflow is an open-source platform developed by the Apache Foundation in the United States. It allows for the creation, management, and monitoring of workflows. This platform features scalability and dynamic monitoring capabilities. However, Apache Airflow has security vulnerabilities. The...

PT-2026-20651

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously...

@pepr/istio (=0.1.0), @pepr/keycloak-authsvc (>=0.3.0 <=0.6.0) potentially affected by CVE-2026-23634 via pepr (>=0.14.2 <=0.9.0)

pepr NPM version =0.14.2, =0.3.0, =0.6.0 Source cves: CVE-2026-23634 Source advisory: OSV:GHSA-W54X-R83C-X79Q...

@avorati/strapi-plugin-preview (=1.0.1), @catchmexz/fedin-cms (>=5.30.1 <=5.30.2) +26 more potentially affected by CVE-2024-56143 via @strapi/core (>=5.0.0 <=5.5.1)

@strapi/core NPM version =5.0.0, =5.30.1, =1.0.0, =2.3.1, =2.0.2, =0.1.0, =2.0.0, =1.0.1, =5.0.0, =0.1.0, =0.2.0, =0.5.0 - cypherscan-strapi =0.1.1 - keycloak-auth-plugin =0.0.1 - my-shopify-app-backend =0.1.0 and more Source cves: CVE-2024-56143 Source advisory: OSV:GHSA-495J-H493-42Q2...

Exploit for Server-Side Request Forgery in Apache Kafka

Apache Kafka 4.1.0 with Keycloak OAuth2 Authentication Produc...

EUVD-2023-0436

Malicious code in bioql PyPI...

EUVD-2025-17468

Malicious code in bioql PyPI...

CVE-2025-49006 Wasp has case insensitive OAuth ID vulnerability

Wasp Web Application Specification is a Rails-like framework for React, Node.js, and Prisma. Prior to version 0.16.6, Wasp authentication has a vulnerability in the OAuth authentication implementation affecting only Keycloak with a specific config. Wasp currently lowercases OAuth user IDs before...

CVE-2023-24457

A cross-site request forgery CSRF vulnerability in Jenkins Keycloak Authentication Plugin 2.3.0 and earlier allows attackers to trick users into logging in to the attacker's account...

PT-2024-12538 · Red Hat · Keycloak

Name of the Vulnerable Software and Affected Versions: Keycloak affected versions not specified Description: A flaw was found in the client step-up authentication mechanism, where it does not correctly validate authentication. This allows a remote user authenticated with a password to register a...

GHSA-9963-GMH8-VVM6 Session fixation vulnerability in Jenkins Keycloak Authentication Plugin

Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login...

GHSA-9WRR-4R9V-26XC CSRF vulnerability in Jenkins Keycloak Authentication Plugin

A cross-site request forgery CSRF vulnerability in Jenkins Keycloak Authentication Plugin 2.3.0 and earlier allows attackers to trick users into logging in to the attacker's account...

CVE-2023-24457

A cross-site request forgery CSRF vulnerability in Jenkins Keycloak Authentication Plugin 2.3.0 and earlier allows attackers to trick users into logging in to the attacker's account...

CVE-2023-24457

A cross-site request forgery CSRF vulnerability in Jenkins Keycloak Authentication Plugin 2.3.0 and earlier allows attackers to trick users into logging in to the attacker's account...

CVE-2023-24456

Jenkins Keycloak Authentication Plugin 2.3.0 and earlier does not invalidate the previous session on login...

Cross site request forgery (csrf)

A cross-site request forgery CSRF vulnerability in Jenkins Keycloak Authentication Plugin 2.3.0 and earlier allows attackers to trick users into logging in to the attacker's account...

Jenkins Plugin Keycloak Authentication 跨站请求伪造漏洞

Jenkins and Jenkins Plugin are both Jenkins open source products.Jenkins is a software application . An open source automation server Jenkins provides hundreds of plugins to support building, deploying, and automating any project.Jenkins Plugin is a software application. A security vulnerability...