4149 matches found
Keycloak 安全漏洞
Keycloak is an open-source identity and access management solution developed by Keycloak. Keycloak has a security vulnerability, which stems from the lack of encryption signature verification. Attackers could successfully self-register with unauthorized organizations by modifying the organization...
PT-2026-7128
Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in the jwt-authorization-grant flow where the server does not verify if an Identity Provider IdP is enabled before issuing tokens. The lookupIdentityProviderFromIssuer mechanis...
PT-2026-7127
Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A Broken Access Control issue exists within the UserManagedPermissionService UMA Protection API. Specifically, when updating or deleting a UMA policy linked to multiple resources, the system...
PT-2026-7129
Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in Keycloak’s invitation token registration mechanism. The server does not verify the cryptographic signature of the JSON Web Token JWT. An attacker can modify the organization...
Server-Side Request Forgery (SSRF)
Keycloak is vulnerable to Server-Side Request Forgery SSRF. The vulnerability is due to insufficient validation of client-configured backchannel notification endpoints in the CIBA feature, allowing attackers to trigger blind server-side requests to internal services or protected network resources...
Information Disclosure
Keycloak is vulnerable to sensitive Information Disclosure. The vulnerability is due to insufficient enforcement of User Profile visibility controls in the Admin API, where a limited-privilege administrator can access sensitive custom user attributes via the /unmanagedAttributes endpoint, bypassi...
Linux Distros Unpatched Vulnerability : CVE-2025-14559
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading...
Linux Distros Unpatched Vulnerability : CVE-2026-1035
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse...
CVE-2025-9162 vulnerabilities
Vulnerabilities for packages: keycloak...
GHSA-8HXP-QMPH-W5GQ vulnerabilities
Vulnerabilities for packages: keycloak...
GHSA-8HXP-QMPH-W5GQ vulnerabilities
Vulnerabilities for packages: keycloak-fips, keycloak...
CVE-2025-9162 vulnerabilities
Vulnerabilities for packages: keycloak-fips, keycloak...
ch.iterial.keycloak.plugins:keycloak-directus-plugin (>=0.1.0 <=0.7.0), com.c4-soft.springaddons:keycloak-grants-mapper (>=3.1.13-jdk1.8 <=3.1.14-jdk17) +219 more potentially affected by CVE-2026-1518 via org.keycloak:keycloak-services (>=10.0.0 <=9.0.3)
org.keycloak:keycloak-services MAVEN version =10.0.0, =0.1.0, =3.1.13-jdk1.8, =11.0.1, =1.2.6, =1.2.5, =0.1, =0.1, =1.0.1, =0.1, =1.0.1, =0.1, =1.2.0, =1.4.11 - com.github.wnameless.spring.boot.up:spring-boot-up-embedded-keycloak =24.3.0.0 -...
Server-side Request Forgery (SSRF)
Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via insufficient validation of the backchannelclientnotificationendpoint,...
Keycloak Server-Side Request Forgery (SSRF) vulnerability
A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services...
GHSA-FWHW-CHW4-GH37 Keycloak Server-Side Request Forgery (SSRF) vulnerability
A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services...
CVE-2026-1518
A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services...
CVE-2026-1518 Keycloak: blind server-side request forgery (ssrf) via ciba backchannel notification endpoint in keycloak
A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services...
CVE-2026-1518
A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services...
CVE-2026-1518
A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services. Mitigation To mitigate this issue, restrict administrative access to Keycloak instances. Ensure that only...