73 matches found
CVE-2026-29792
Feathersjs (v5.0.0–5.0.41) is vulnerable to an unauthenticated bypass in the OAuth callback endpoint. A forged profile sent via the query string to /oauth/:provider/callback can trigger a fallback path that reads params.query when Grant’s session/state is empty, allowing an attacker to drive enti...
org.keycloak/keycloak-services: Keycloak: Missing Check on Disabled Client for Docker Registry Protocol
A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously...
CVE-2026-28396 NocoDB: Refresh Tokens Not Revoked on Password Reset
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password. This issue has be...
Keycloak: Missing Check on Disabled Client for Docker Registry Protocol
A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously...
CVE-2026-2733 Org.keycloak/keycloak-services: keycloak: missing check on disabled client for docker registry protocol
A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously...
CVE-2026-2733
A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously...
CVE-2026-2733
A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously...
PT-2026-20651
A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously...
Keycloak fails to verify if an Identity Provider (IdP) is enabled before issuing tokens
A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider IdP is enabled before issuing tokens. The issuer lookup mechanism lookupIdentityProviderFromIssuer retrieves the IdP configuration but does not filter...
GHSA-37GF-GMXV-74WV Keycloak fails to verify if an Identity Provider (IdP) is enabled before issuing tokens
A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider IdP is enabled before issuing tokens. The issuer lookup mechanism lookupIdentityProviderFromIssuer retrieves the IdP configuration but does not filter...
CVE-2026-1486
A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider IdP is enabled before issuing tokens. The issuer lookup mechanism lookupIdentityProviderFromIssuer retrieves the IdP configuration but does not filter...
CVE-2026-1486
CVE-2026-1486 : In Keycloak, the jwt-authorization-grant flow fails to verify whether an IdP is enabled before issuing tokens. The issuer lookup (lookupIdentityProviderFromIssuer) fetches the IdP config but does not filter for isEnabled=false. If an administrator disables an IdP (e.g., due to com...
CVE-2026-1486 Org.keycloak.protocol.oidc.grants: disabled identity providers are still accepted for jwt authorization grant
A flaw was found in Keycloak. A vulnerability exists in the jwt-authorization-grant flow where the server fails to verify if an Identity Provider IdP is enabled before issuing tokens. The issuer lookup mechanism lookupIdentityProviderFromIssuer retrieves the IdP configuration but does not filter...
Improperly Implemented Security Check for Standard
Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Improperly Implemented Security Check for Standard due to improper verification if an Identity Provider IdP i...
PT-2026-7128
Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in the jwt-authorization-grant flow where the server does not verify if an Identity Provider IdP is enabled before issuing tokens. The lookupIdentityProviderFromIssuer mechanis...
EUVD-2026-3686
A flaw was found in the keycloak-services component of Keycloak. This vulnerability allows the issuance of access and refresh tokens for disabled users, leading to unauthorized use of previously revoked privileges, via a business logic vulnerability in the Token Exchange implementation when a...
SUSE CVE-2025-65430
An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as isactive=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected...
PYSEC-2025-110
An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as isactive=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected...
PYSEC-2025-110
An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as isactive=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected...
CVE-2025-65430
An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as isactive=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected...