13 matches found
keycloak: org.keycloak.protocol.oidc.grants.ciba: Keycloak: Information disclosure via CORS header injection due to unvalidated JWT azp claim
A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing CORS header injection vulnerability in Keycloak's User-Managed Access UMA token endpoint. This flaw occurs because the azp claim from a client-supplied JSON Web Token JWT is used to set the...
Keycloak vulnerable to information disclosure via CORS header injection due to unvalidated JWT azp claim
A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing CORS header injection vulnerability in Keycloak's User-Managed Access UMA token endpoint. This flaw occurs because the azp claim from a client-supplied JSON Web Token JWT is used to set the...
CVE-2026-37977 Keycloak: org.keycloak.protocol.oidc.grants.ciba: keycloak: information disclosure via cors header injection due to unvalidated jwt azp claim
A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing CORS header injection vulnerability in Keycloak's User-Managed Access UMA token endpoint. This flaw occurs because the azp claim from a client-supplied JSON Web Token JWT is used to set the...
CVE-2026-37977
CVE-2026-37977 affects Keycloak’s User-Managed Access (UMA) token endpoint. A flaw in CORS handling arises when the azp claim from a client-supplied JWT is used to set the Access-Control-Allow-Origin header before JWT validation, allowing an attacker-controlled origin to be reflected in responses...
CVE-2026-37977 Keycloak: org.keycloak.protocol.oidc.grants.ciba: keycloak: information disclosure via cors header injection due to unvalidated jwt azp claim
A flaw was found in Keycloak. A remote attacker can exploit a Cross-Origin Resource Sharing CORS header injection vulnerability in Keycloak's User-Managed Access UMA token endpoint. This flaw occurs because the azp claim from a client-supplied JSON Web Token JWT is used to set the...
BIT-PARSE-2026-30949 Parse Server is missing audience validation in Keycloak authentication adapter
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2 and 8.6.18, the Keycloak authentication adapter does not validate the azp authorized party claim of Keycloak access tokens against the configured client-id. A valid access token...
EUVD-2026-10869
Parse Server missing audience validation in Keycloak authentication adapter...
EUVD-2026-10868
Parse Server missing audience validation in Keycloak authentication adapter...
Parse Server missing audience validation in Keycloak authentication adapter
Impact The Keycloak authentication adapter does not validate the azp authorized party claim of Keycloak access tokens against the configured client-id. A valid access token issued by the same Keycloak realm for a different client application can be used to authenticate as any user on the Parse...
CVE-2026-30949 Parse Server is missing audience validation in Keycloak authentication adapter
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.5 and 8.6.18, the Keycloak authentication adapter does not validate the azp authorized party claim of Keycloak access tokens against the configured client-id. A valid acces...
CVE-2026-30949 Parse Server is missing audience validation in Keycloak authentication adapter
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.5 and 8.6.18, the Keycloak authentication adapter does not validate the azp authorized party claim of Keycloak access tokens against the configured client-id. A valid acces...
CVE-2026-30949 Parse Server is missing audience validation in Keycloak authentication adapter
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.5 and 8.6.18, the Keycloak authentication adapter does not validate the azp authorized party claim of Keycloak access tokens against the configured client-id. A valid acces...
Parse Server 授权问题漏洞
Parse Server is an open-source backend developed by the Parse Platform. It can be deployed on any infrastructure that runs Node.js. Versions of Parse Server prior to 9.5.2-alpha.5 and 8.6.18 have vulnerabilities related to authorization. These vulnerabilities stem from the Keycloak authentication...