Security Bulletin: IBM Datapower Operations Dashboard is vulnerable to Authentication Bypass by Alternate Name CVE-2025-14777

Summary keycloak is used by the IBM Datapower Operations Dashboard as part of their IAM and SSO implementation Vulnerability Details CVEID:CVE-2025-14777 DESCRIPTION: A flaw was found in Keycloak. An IDOR Broken Access Control vulnerability exists in the admin API endpoints for authorization...

EUVD-2026-32718

A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol LDAP server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password...

CVE-2026-9801

A flaw was found in Keycloak. A remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol LDAP server or an attacker compromising an upstream LDAP server, could exploit this vulnerability. By sending a malformed LDAP password...

CVE-2026-9798

A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication CIBA flow to bypass this...

CVE-2026-9791 Keycloak-rhel9: organization data leak after feature disabled in keycloak

A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect OIDC token with the 'organization' scope. This allows organization metadata to be disclosed in...

PT-2026-44194

Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw allows a remote attacker with high privileges, such as a realm administrator configuring a malicious Lightweight Directory Access Protocol LDAP server or an attacker who has compromis...

Keycloak 安全漏洞

Keycloak is an open-source identity and access management solution developed by Keycloak itself. There is a security vulnerability in Keycloak. This vulnerability stems from the fact that authenticated administrators with the manage-clients role can exploit the vulnerability in the name-based...

Keycloak 安全漏洞

Keycloak is an open-source identity and access management solution developed by Keycloak. There is a security vulnerability in Keycloak. This vulnerability allows authenticated users with existing organizational membership to exploit it by accessing user-facing APIs or requesting OpenID Connect...

PT-2026-44185

Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A remote, unauthenticated attacker can cause information disclosure by sending specially crafted SOAP requests to the SAML ECP Security Assertion Markup Language Enhanced Client or Proxy...

Keycloak 安全漏洞

Keycloak is an open-source identity and access management solution developed by Keycloak. Keycloak has a security vulnerability that stems from the org.keycloak.protocol.oidc component. When certain conditions are met, the reject-ropc-grant executor is silently bypassed, allowing unauthenticated...

PT-2026-44186

Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in the Fine-Grained Admin Permissions FGAPv2 feature. An administrator with limited client management permissions can assign any realm role, including highly privileged ones, t...

Keycloak 代码问题漏洞

Keycloak is an open-source identity and access management solution developed by Keycloak. Keycloak has code-related vulnerabilities. These vulnerabilities arise when the revokeRefreshToken=true setting is enabled, and persistent session storage is used. A server restart can reset the internal...

Keycloak 安全漏洞

Keycloak is an open-source identity and access management solution developed by Keycloak. Keycloak has a security vulnerability, which stems from the possibility for remote, unauthenticated attackers to send specially crafted SOAP requests to the SAML ECP endpoint. These requests are accompanied ...

EUVD-2026-32212

A flaw was found in Keycloak, an open-source identity and access management solution. When a client application is configured to accept broad redirect Uniform Resource Identifiers URIs, a remote attacker can manipulate the authentication process by crafting a special web address. If a user clicks...

Keycloak 安全漏洞

Keycloak is an open-source identity and access management solution developed by Keycloak itself. There is a security vulnerability in Keycloak. This vulnerability arises when authenticated low-privilege users can send excessively large SubjectToken JWT tokens to the TokenEndpoint. When the token...

GHSA-HQ3P-W4XV-X7VP Keycloak: Access token disclosure and implicit flow bypass via forged client data

A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect OIDC clients. By manipulating client data during a session restart, an attacker can obtain an access token th...

CVE-2026-7571

A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect OIDC clients. By manipulating client data during a session restart, an attacker can obtain an access token th...

CVE-2026-37982

A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay ExecuteActionsActionToken tokens within Keycloak's WebAuthn Web Authentication flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim's...

CVE-2026-37982 Keycloak: org.keycloak.authentication: keycloak: unauthorized account takeover via webauthn token replay

A flaw was found in Keycloak. This authentication vulnerability allows a remote attacker to replay ExecuteActionsActionToken tokens within Keycloak's WebAuthn Web Authentication flow. By intercepting an execute-actions email link, an attacker can register their own authenticator to a victim's...

CVE-2026-37979

A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect OIDC token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other...