org.keycloak.keycloak-services: Improper Access Control on Keycloak Server when the account Account API feature is disabled

When Keycloak is started with --features-disabled=account,account-api, the Account REST API is only partially disabled. Five endpoints under the versioned path /account/v1alpha1 remain fully functional — including both read and write operations — because they lack the checkAccountApiEnabled gate...

CVE-2026-9791

A flaw was found in Keycloak. An authenticated user with existing organization membership can exploit this flaw by accessing user-facing APIs, such as the account API or by requesting an OpenID Connect OIDC token with the 'organization' scope. This allows organization metadata to be disclosed in...

CVE-2026-7500 Org.keycloak.keycloak-services: improper access control on keycloak server when the account account api feature is disabled

When Keycloak is started with --features-disabled=account,account-api, the Account REST API is only partially disabled. Five endpoints under the versioned path /account/v1alpha1 remain fully functional — including both read and write operations — because they lack the checkAccountApiEnabled gate...

CVE-2026-7500

When Keycloak is started with --features-disabled=account,account-api, the Account REST API is only partially disabled. Five endpoints under the versioned path /account/v1alpha1 remain fully functional — including both read and write operations — because they lack the checkAccountApiEnabled gate...

CVE-2026-3429

A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered...

CVE-2026-3429 Org.keycloak.services.resources.account: improper access control leading to mfa deletion and account takeover in keycloak account rest api

A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered...

CVE-2026-3429

CVE-2026-3429 (Keycloak) affects the Keycloak Account REST API. A user with lower-privilege authentication can perform actions intended for higher-assurance sessions, specifically deleting a victim’s MFA/OTP credential after obtaining the victim’s password, and then registering their own MFA devi...

CVE-2026-3429

A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered...

Keycloak 安全漏洞

Keycloak is an open-source identity and access management solution developed by Keycloak. Keycloak has a security vulnerability, which stems from improper access control in the Account REST API. This vulnerability may allow users with low security levels to perform sensitive operations, potential...

CVE-2020-12644

OX App Suite 7.10.3 and earlier allows SSRF, related to the mail account API and the /folder/list API...

EUVD-2020-4944

Malware in sbrugna...

Malicious code in eth-account-api (PyPI)

--- -= Per source details. Do not edit below this line.=-...

MAL-2024-9973 Malicious code in eth-account-api (PyPI)

--- -= Per source details. Do not edit below this line.=-...

Weintek Weincloud

1. EXECUTIVE SUMMARY ​CVSS v3 7.5 ​ATTENTION: Exploitable remotely/low attack complexity ​Vendor: Weintek ​Equipment: Weincloud ​Vulnerabilities: Weak Password Recovery Mechanism for Forgotten Password, Improper Authentication, Improper Restriction of Excessive Authentication Attempts, Improper...

Malicious code in @12build/account-api-ts-axios-sdk (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware cc5c5465a393a23f776128754b0543c03787f78e563b7142645453e912068ff6 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Improper Neutralization of Equivalent Special Elements

Overview Affected versions of this package are vulnerable to Improper Neutralization of Equivalent Special Elements due to a possible HTML injection via deleting an account's API key that has a payload as its label. Remediation Upgrade BTCPayServer.Client to version 1.7.5 or higher. References -...

CVE-2020-12644

OX App Suite 7.10.3 and earlier allows SSRF, related to the mail account API and the /folder/list API...

Server side request forgery (ssrf)

OX App Suite 7.10.3 and earlier allows SSRF, related to the mail account API and the /folder/list API...

CVE-2020-12644

OX App Suite 7.10.3 and earlier allows SSRF, related to the mail account API and the /folder/list API...