50 matches found
CVE-2026-41671
Admidio is an open-source user management solution. Prior to version 5.0.9, the OIDC token introspection endpoint /modules/sso/index.php/oidc/introspect always returns "active": true for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or...
keycloak: Keycloak: Information disclosure via OIDC token introspection endpoint audience bypass
A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect OIDC token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other...
GHSA-4X37-HW65-52W8 Keycloak: Information disclosure via OIDC token introspection endpoint audience bypass
A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect OIDC token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other...
Keycloak: Information disclosure via OIDC token introspection endpoint audience bypass
A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect OIDC token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other...
CVE-2026-37979
A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect OIDC token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other...
CVE-2026-37979 Keycloak: keycloak: information disclosure via oidc token introspection endpoint audience bypass
A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect OIDC token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other...
CVE-2026-37979 Keycloak: keycloak: information disclosure via oidc token introspection endpoint audience bypass
A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect OIDC token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other...
CVE-2026-37979
Keycloak CVE-2026-37979 describes an information-disclosure via the OIDC token introspection endpoint where an attacker-controlled but credentialed confidential client can bypass audience restrictions, exposing token claims intended for other resource servers. Impact is confidentiality of lightwe...
EUVD-2026-30887
A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect OIDC token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other...
CVE-2026-37979
A flaw was found in Keycloak. This access control vulnerability in Keycloak's OpenID Connect OIDC token introspection endpoint allows a confidential client to bypass audience restrictions. An attacker-controlled client with valid credentials can retrieve sensitive token claims intended for other...
EUVD-2026-30843
A flaw was found in Keycloak. When both realm-level and client-level notBefore revocation policies are configured, Keycloak's OpenID Connect OIDC Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially...
Incorrect Implementation of Authentication Algorithm
Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Incorrect Implementation of Authentication Algorithm through the TokenManager and OIDC endpoint token checks ...
Open Redirect
Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Open Redirect via the TokenEndpoint introspection flow in the OIDC protocol handlers. An attacker can...
PT-2026-41841
Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw in the OpenID Connect OIDC Introspection feature occurs when both realm-level and client-level notBefore revocation policies are configured. In this scenario, the system fails to...
PT-2026-41870
Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description An access control flaw exists in the OpenID Connect OIDC token introspection endpoint. This issue allows a confidential client with valid credentials to bypass audience restrictions and...
CVE-2026-41671
Admidio is an open-source user management solution. Prior to version 5.0.9, the OIDC token introspection endpoint /modules/sso/index.php/oidc/introspect always returns "active": true for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or...
CVE-2026-41671 Admidio: OIDC Token Introspection Endpoint Returns Active for All Tokens Without Validation
Admidio is an open-source user management solution. Prior to version 5.0.9, the OIDC token introspection endpoint /modules/sso/index.php/oidc/introspect always returns "active": true for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or...
CVE-2026-41671
Admidio is an open-source user management solution. Prior to version 5.0.9, the OIDC token introspection endpoint /modules/sso/index.php/oidc/introspect always returns "active": true for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or...
CVE-2026-41671
Admidio prior to version 5.0.9 contains a vulnerability in its OIDC token introspection (/modules/sso/index.php/oidc/introspect) and revocation (/oidc/revoke) endpoints. The introspection endpoint always returns {"active": true} and the revocation endpoint returns {"revoked": true} without authen...
Admidio: OIDC Token Introspection Endpoint Returns Active for All Tokens Without Validation
Summary The OIDC token introspection endpoint /modules/sso/index.php/oidc/introspect always returns "active": true for every request, regardless of whether a valid token is provided, whether the token is expired, revoked, or completely fabricated. The endpoint performs no authentication of the...