Incorrect Authorization

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Incorrect Authorization via the partialImport feature. An attacker can gain unauthorized administrative...

CVE-2026-9088

A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied,...

Insufficient Granularity of Access Control

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Insufficient Granularity of Access Control in the getMembers methods that serve the group members endpoint. A...

PT-2026-46909

A flaw was found in org.keycloak.services. An administrator with delegated access to read group memberships and users can bypass user profile permissions by accessing the group members endpoint. This allows the administrator to view user attributes that are explicitly configured to be denied,...

com.github.vzakharchenko:keycloak-plugins (>=1.1.0 <=1.2.3), com.github.vzakharchenko:mikrotik-radius-plugin (>=1.1.0 <=1.2.3) +15 more potentially affected by CVE-2026-9803 via org.keycloak:keycloak-services (>=9.0.0 <=9.0.3)

org.keycloak:keycloak-services MAVEN version =9.0.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.1.0, =1.2.0, =1.3, =9.0.0, =9.0.0, =9.0.0, =9.0.0, =9.0.0, =9.0.3 and more Source cves: CVE-2026-9803 Source advisory: SNYK:JAVA-ORGKEYCLOAK-17082663...

Out-of-bounds Read

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Out-of-bounds Read via the authorization header parsing in the ClientRegistrationAuth component. An attacker...

ch.iterial.keycloak.plugins:keycloak-directus-plugin (>=0.1.0 <=0.7.0), com.c4-soft.springaddons:keycloak-grants-mapper (>=3.1.13-jdk1.8 <=3.1.14-jdk17) +219 more potentially affected by CVE-2026-9798 via org.keycloak:keycloak-services (>=10.0.0 <=9.0.3)

org.keycloak:keycloak-services MAVEN version =10.0.0, =0.1.0, =3.1.13-jdk1.8, =11.0.1, =1.2.6, =1.2.5, =0.1, =0.1, =1.0.1, =0.1, =1.0.1, =0.1, =1.2.0, =1.4.11 - com.github.wnameless.spring.boot.up:spring-boot-up-embedded-keycloak =24.3.0.0 -...

Authentication Bypass by Primary Weakness

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness via the Client-Initiated Backchannel Authentication CIBA flow. An...

ch.iterial.keycloak.plugins:keycloak-directus-plugin (>=0.1.0 <=0.7.0), com.c4-soft.springaddons:keycloak-grants-mapper (>=3.1.13-jdk1.8 <=3.1.14-jdk17) +219 more potentially affected by CVE-2026-9796 via org.keycloak:keycloak-services (>=10.0.0 <=9.0.3)

org.keycloak:keycloak-services MAVEN version =10.0.0, =0.1.0, =3.1.13-jdk1.8, =11.0.1, =1.2.6, =1.2.5, =0.1, =0.1, =1.0.1, =0.1, =1.0.1, =0.1, =1.2.0, =1.4.11 - com.github.wnameless.spring.boot.up:spring-boot-up-embedded-keycloak =24.3.0.0 -...

Time-of-check Time-of-use (TOCTOU) Race Condition

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Time-of-check Time-of-use TOCTOU Race Condition in the role rename endpoint. An attacker can gain unauthorize...

Information Exposure

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Information Exposure via the SAML ECP endpoint when specially crafted SOAP requests are sent with varying...

ch.iterial.keycloak.plugins:keycloak-directus-plugin (>=0.1.0 <=0.7.0), com.c4-soft.springaddons:keycloak-grants-mapper (>=3.1.13-jdk1.8 <=3.1.14-jdk17) +219 more potentially affected by CVE-2026-9793 via org.keycloak:keycloak-services (>=10.0.0 <=9.0.3)

org.keycloak:keycloak-services MAVEN version =10.0.0, =0.1.0, =3.1.13-jdk1.8, =11.0.1, =1.2.6, =1.2.5, =0.1, =0.1, =1.0.1, =0.1, =1.0.1, =0.1, =1.2.0, =1.4.11 - com.github.wnameless.spring.boot.up:spring-boot-up-embedded-keycloak =24.3.0.0 -...

Incorrect Authorization

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Incorrect Authorization via the user-facing APIs when the Organizations feature is disabled. An attacker can...

ch.iterial.keycloak.plugins:keycloak-directus-plugin (>=0.1.0 <=0.7.0), com.c4-soft.springaddons:keycloak-grants-mapper (>=3.1.13-jdk1.8 <=3.1.14-jdk17) +219 more potentially affected by CVE-2026-9689 via org.keycloak:keycloak-services (>=10.0.0 <=9.0.3)

org.keycloak:keycloak-services MAVEN version =10.0.0, =0.1.0, =3.1.13-jdk1.8, =11.0.1, =1.2.6, =1.2.5, =0.1, =0.1, =1.0.1, =0.1, =1.0.1, =0.1, =1.2.0, =1.4.11 - com.github.wnameless.spring.boot.up:spring-boot-up-embedded-keycloak =24.3.0.0 -...

Improper Validation of Consistency within Input

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improper Validation of Consistency within Input via the authentication process when a client is configured wi...

Authorization Bypass Through User-Controlled Key

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the cross-session email verification process. An attacker...

ch.iterial.keycloak.plugins:keycloak-directus-plugin (>=0.1.0 <=0.7.0), com.charlyghislain.keycloak:keycloak-importexport (>=21.0.0 <=23.0.1) +174 more potentially affected by CVE-2026-7571 via org.keycloak:keycloak-services (>=1.0-alpha-1 <=26.6.1)

org.keycloak:keycloak-services MAVEN version =1.0-alpha-1, =0.1.0, =21.0.0, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.11 - com.github.wnameless.spring.boot.up:spring-boot-up-embedded-keycloak =24.3.0.0 -...

ch.iterial.keycloak.plugins:keycloak-directus-plugin (>=0.1.0 <=0.7.0), com.charlyghislain.keycloak:keycloak-importexport (>=21.0.0 <=23.0.1) +174 more potentially affected by CVE-2026-7507 via org.keycloak:keycloak-services (>=1.0-alpha-1 <=26.6.1)

org.keycloak:keycloak-services MAVEN version =1.0-alpha-1, =0.1.0, =21.0.0, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.11 - com.github.wnameless.spring.boot.up:spring-boot-up-embedded-keycloak =24.3.0.0 -...

ch.iterial.keycloak.plugins:keycloak-directus-plugin (>=0.1.0 <=0.7.0), com.charlyghislain.keycloak:keycloak-importexport (>=21.0.0 <=23.0.1) +174 more potentially affected by CVE-2026-7504 via org.keycloak:keycloak-services (>=1.0-alpha-1 <=26.6.1)

org.keycloak:keycloak-services MAVEN version =1.0-alpha-1, =0.1.0, =21.0.0, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.11 - com.github.wnameless.spring.boot.up:spring-boot-up-embedded-keycloak =24.3.0.0 -...

ch.iterial.keycloak.plugins:keycloak-directus-plugin (>=0.1.0 <=0.7.0), com.charlyghislain.keycloak:keycloak-importexport (>=21.0.0 <=23.0.1) +174 more potentially affected by CVE-2026-37982 via org.keycloak:keycloak-services (>=1.0-alpha-1 <=26.6.1)

org.keycloak:keycloak-services MAVEN version =1.0-alpha-1, =0.1.0, =21.0.0, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.10, =1.4.11 - com.github.wnameless.spring.boot.up:spring-boot-up-embedded-keycloak =24.3.0.0 -...