Lucene search
K

73 matches found

CVE
CVE
added 2026/03/10 8:6 p.m.22 views

CVE-2026-29792

Feathersjs (v5.0.0–5.0.41) is vulnerable to an unauthenticated bypass in the OAuth callback endpoint. A forged profile sent via the query string to /oauth/:provider/callback can trigger a fallback path that reads params.query when Grant’s session/state is empty, allowing an attacker to drive enti...

9.8CVSS5.8AI score0.00519EPSS
Exploits0References1Affected Software1
RedHat Linux
RedHat Linux
added 2026/03/05 7:7 p.m.3 views

org.keycloak/keycloak-services: Keycloak: Missing Check on Disabled Client for Docker Registry Protocol

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously...

3.8CVSS5.7AI score0.0033EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/03/02 4:18 p.m.2 views

CVE-2026-28396 NocoDB: Refresh Tokens Not Revoked on Password Reset

NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password. This issue has be...

7.1CVSS5.8AI score0.00181EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/02/19 6:31 p.m.10 views

Keycloak: Missing Check on Disabled Client for Docker Registry Protocol

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously...

3.8CVSS5.4AI score0.0033EPSS
Exploits0References8Affected Software1
Cvelist
Cvelist
added 2026/02/19 7:48 a.m.32 views

CVE-2026-2733 Org.keycloak/keycloak-services: keycloak: missing check on disabled client for docker registry protocol

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously...

3.8CVSS0.0033EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/02/19 7:48 a.m.4 views

CVE-2026-2733

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously...

3.8CVSS5.8AI score0.0033EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/02/19 7:48 a.m.4 views

CVE-2026-2733

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously...

3.8CVSS5AI score0.0033EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/02/19 12:0 a.m.9 views

PT-2026-20651

A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously...

3.8CVSS5.4AI score0.0033EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/02/09 9:31 p.m.10 views

Keycloak fails to verify if an Identity Provider (IdP) is enabled before issuing tokens

A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider IdP is enabled before issuing tokens. The issuer lookup mechanism lookupIdentityProviderFromIssuer retrieves the IdP configuration but does not filter...

8.8CVSS5.6AI score0.00449EPSS
Exploits0References10Affected Software1
OSV
OSV
added 2026/02/09 9:31 p.m.2 views

GHSA-37GF-GMXV-74WV Keycloak fails to verify if an Identity Provider (IdP) is enabled before issuing tokens

A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider IdP is enabled before issuing tokens. The issuer lookup mechanism lookupIdentityProviderFromIssuer retrieves the IdP configuration but does not filter...

8.8CVSS5.8AI score0.00449EPSS
Exploits0References10
RedhatCVE
RedhatCVE
added 2026/02/09 6:36 p.m.4 views

CVE-2026-1486

A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider IdP is enabled before issuing tokens. The issuer lookup mechanism lookupIdentityProviderFromIssuer retrieves the IdP configuration but does not filter...

8.8CVSS5.5AI score0.00449EPSS
Exploits0References3
CVE
CVE
added 2026/02/09 6:36 p.m.41 views

CVE-2026-1486

CVE-2026-1486 : In Keycloak, the jwt-authorization-grant flow fails to verify whether an IdP is enabled before issuing tokens. The issuer lookup (lookupIdentityProviderFromIssuer) fetches the IdP config but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to com...

8.8CVSS5.6AI score0.00449EPSS
Exploits0References5
Cvelist
Cvelist
added 2026/02/09 6:36 p.m.31 views

CVE-2026-1486 Org.keycloak.protocol.oidc.grants: disabled identity providers are still accepted for jwt authorization grant

A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider IdP is enabled before issuing tokens. The issuer lookup mechanism lookupIdentityProviderFromIssuer retrieves the IdP configuration but does not filter...

8.8CVSS0.00449EPSS
Exploits0References4
Snyk
Snyk
added 2026/02/09 6:23 p.m.4 views

Improperly Implemented Security Check for Standard

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improperly Implemented Security Check for Standard due to improper verification if an Identity Provider IdP i...

8.8CVSS5.6AI score0.00449EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/02/09 12:0 a.m.6 views

PT-2026-7128

Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in the jwt-authorization-grant flow where the server does not verify if an Identity Provider IdP is enabled before issuing tokens. The lookupIdentityProviderFromIssuer mechanis...

8.8CVSS5.9AI score0.00449EPSS
Exploits0References19
EUVD
EUVD
added 2026/01/21 6:13 a.m.19 views

EUVD-2026-3686

A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a...

6.5CVSS5.4AI score0.00443EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2025/12/16 12:23 a.m.6 views

SUSE CVE-2025-65430

An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as isactive=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected...

5.4CVSS7AI score0.00138EPSS
Exploits0References3
PyPA
PyPA
added 2025/12/15 2:15 p.m.13 views

PYSEC-2025-110

An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as isactive=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected...

5.4CVSS5.8AI score0.00138EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2025/12/15 2:15 p.m.9 views

PYSEC-2025-110

An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as isactive=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected...

5.4CVSS5.8AI score0.00138EPSS
Exploits0References2
OSV
OSV
added 2025/12/15 2:15 p.m.4 views

CVE-2025-65430

An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as isactive=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected...

5.4CVSS5.8AI score
Exploits0References1
Rows per page
Query Builder