Lucene search
K

64 matches found

RedHat Linux
RedHat Linux
added 2026/06/25 5:36 p.m.4 views

org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: Keycloak: Server-Side Request Forgery via OIDC token endpoint manipulation

A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery SSRF by manipulating the clientsessionhost parameter during refresh token requests. This occurs when a Keycloak client is configured to use the backchannel.logout.url with the application.session.host...

3.1CVSS5.8AI score0.00295EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/06/18 1:1 p.m.8 views

ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components

Summary A Server-Side Request Forgery SSRF vulnerability was discovered in Zitadel affecting: HTTP Notification Channels: Used as an alternative to SMTP/Twilio configurations, sending payloads to user-defined URLs via HTTP POST webhooks. OIDC BackChannel Logout: Terminates sessions across differe...

6.1AI score
Exploits0References4Affected Software1
OSV
OSV
added 2026/06/18 1:1 p.m.6 views

GHSA-29JH-8CFQ-RR8X ZITADEL: Server-Side Request Forgery (SSRF) and Denylist Bypass in Outgoing HTTP Components

Summary A Server-Side Request Forgery SSRF vulnerability was discovered in Zitadel affecting: HTTP Notification Channels: Used as an alternative to SMTP/Twilio configurations, sending payloads to user-defined URLs via HTTP POST webhooks. OIDC BackChannel Logout: Terminates sessions across differe...

2.3CVSS6.2AI score
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/18 12:0 a.m.15 views

PT-2026-50740

Name of the Vulnerable Software and Affected Versions Zitadel versions 4.0.0 through 4.15.1 Zitadel versions 3.0.0 through 3.4.11 Description A Server-Side Request Forgery SSRF issue exists in components that handle outgoing HTTP requests, specifically HTTP Notification Channels, OIDC BackChannel...

2.3CVSS6AI score
Exploits0References6
NVD
NVD
added 2026/05/28 6:16 a.m.19 views

CVE-2026-9798

A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication CIBA flow to bypass this...

4.3CVSS0.00206EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/05/28 4:37 a.m.15 views

CVE-2026-9798 Keycloak: keycloak: brute-force protection bypass in ciba flow

A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication CIBA flow to bypass this...

4.3CVSS5.7AI score0.00206EPSS
Exploits0References2
EUVD
EUVD
added 2026/05/28 4:37 a.m.11 views

EUVD-2026-32717

A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication CIBA flow to bypass this...

4.3CVSS5.7AI score0.00206EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/05/28 4:37 a.m.35 views

CVE-2026-9798 Keycloak: keycloak: brute-force protection bypass in ciba flow

A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication CIBA flow to bypass this...

4.3CVSS0.00206EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/05/28 4:37 a.m.10 views

CVE-2026-9798

A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication CIBA flow to bypass this...

4.3CVSS5.7AI score0.00206EPSS
Exploits0References3
CVE
CVE
added 2026/05/28 4:37 a.m.40 views

CVE-2026-9798

Keycloak is affected by a flaw where, after a user account is temporarily locked due to repeated failed logins, an attacker with valid client credentials can abuse the Client-Initiated Backchannel Authentication (CIBA) flow to bypass the lock. This allows continued authentication attempts and tok...

4.3CVSS5.7AI score0.00206EPSS
Exploits0References2Affected Software1
RedhatCVE
RedhatCVE
added 2026/05/28 4:37 a.m.12 views

CVE-2026-9798

A flaw was found in Keycloak, an open-source identity and access management solution. When a user account is temporarily locked due to repeated failed login attempts, an attacker with valid client credentials can exploit the Client-Initiated Backchannel Authentication CIBA flow to bypass this...

4.3CVSS5.7AI score0.00206EPSS
Exploits0References3
Snyk
Snyk
added 2026/05/28 3:53 a.m.11 views

Authentication Bypass by Primary Weakness

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authentication Bypass by Primary Weakness via the Client-Initiated Backchannel Authentication CIBA flow. An...

4.3CVSS5.9AI score0.00206EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/28 12:0 a.m.14 views

PT-2026-44193

Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw in the Client-Initiated Backchannel Authentication CIBA flow allows an attacker with valid client credentials to bypass brute-force protection. When a user account is temporarily lock...

4.3CVSS5.8AI score0.00206EPSS
Exploits0References4
EUVD
EUVD
added 2026/03/26 9:30 a.m.8 views

EUVD-2026-16142

A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery SSRF by manipulating the clientsessionhost parameter during refresh token requests. This occurs when a Keycloak client is configured to use the backchannel.logout.url with the application.session.host...

3.1CVSS5.8AI score0.00295EPSS
Exploits0References3
Snyk
Snyk
added 2026/03/26 9:30 a.m.1 views

Server-side Request Forgery (SSRF)

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the clientsessionhost parameter during refresh token requests when the...

3.5CVSS5.6AI score0.00295EPSS
Exploits0References2
OSV
OSV
added 2026/03/26 9:30 a.m.5 views

GHSA-22RM-WP4X-V5CX Keycloak Server-Side Request Forgery via OIDC token endpoint manipulation

A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery SSRF by manipulating the clientsessionhost parameter during refresh token requests. This occurs when a Keycloak client is configured to use the backchannel.logout.url with the application.session.host...

3.1CVSS5.9AI score0.00295EPSS
Exploits0References4
Github Security Blog
Github Security Blog
added 2026/03/26 9:30 a.m.5 views

Keycloak Server-Side Request Forgery via OIDC token endpoint manipulation

A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery SSRF by manipulating the clientsessionhost parameter during refresh token requests. This occurs when a Keycloak client is configured to use the backchannel.logout.url with the application.session.host...

3.1CVSS5.9AI score0.00295EPSS
Exploits0References4Affected Software1
NVD
NVD
added 2026/03/26 8:16 a.m.3 views

CVE-2026-4874

A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery SSRF by manipulating the clientsessionhost parameter during refresh token requests. This occurs when a Keycloak client is configured to use the backchannel.logout.url with the application.session.host...

3.1CVSS0.00295EPSS
Exploits0References6
Vulnrichment
Vulnrichment
added 2026/03/26 7:12 a.m.1 views

CVE-2026-4874 Org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: keycloak: server-side request forgery via oidc token endpoint manipulation

A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery SSRF by manipulating the clientsessionhost parameter during refresh token requests. This occurs when a Keycloak client is configured to use the backchannel.logout.url with the application.session.host...

3.1CVSS5.8AI score0.00295EPSS
Exploits0References6
Cvelist
Cvelist
added 2026/03/26 7:12 a.m.31 views

CVE-2026-4874 Org.keycloak.protocol.oidc.grants: org.keycloak.services.managers: keycloak: server-side request forgery via oidc token endpoint manipulation

A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery SSRF by manipulating the clientsessionhost parameter during refresh token requests. This occurs when a Keycloak client is configured to use the backchannel.logout.url with the application.session.host...

3.1CVSS0.00295EPSS
Exploits0References6
Rows per page
Query Builder