Lucene search
K

4295 matches found

Nuclei
Nuclei
added yesterday77 views

Keycloak - SAML Core Package Signature Validation Flaw

A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Referen...

7.7CVSS6.7AI score0.0203EPSS
Exploits0References5
Nuclei
Nuclei
added yesterday86 views

KeyCloak - Information Exposure

A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients like client secret without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this...

6.5CVSS6.5AI score0.17943EPSS
Exploits0References4
Nuclei
Nuclei
added yesterday93 views

Keycloak - Open Redirect

A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially...

6.1CVSS6AI score0.01959EPSS
Exploits0References2
Nuclei
Nuclei
added yesterday142 views

Keycloak < 24.0.5 - Broken Access Control

A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise. id: CVE-2024-3656 info...

8.1CVSS7.1AI score0.02837EPSS
Exploits0References5
Chainguard
Chainguard
added 2 days ago3 views

GHSA-MX76-R943-RF8G vulnerabilities

Vulnerabilities for packages: opensearch, geoserver, keycloak-fips, bouncycastle-fips, wazuh-indexer, guacamole-client...

5.9AI score
Exploits0
Chainguard
Chainguard
added 2 days ago3 views

CVE-2026-8149 vulnerabilities

Vulnerabilities for packages: opensearch, geoserver, keycloak-fips, bouncycastle-fips, wazuh-indexer, guacamole-client...

5.1CVSS5.9AI score0.00158EPSS
Exploits0
Nuclei
Nuclei
added 3 days ago274 views

Keycloak 10.0.0 - 18.0.0 - Cross-Site Scripting

Keycloak 10.0.0 to 18.0.0 contains a cross-site scripting vulnerability via the client-registrations endpoint. On a POST request, the application does not sanitize an unknown attribute name before including it in the error response with a 'Content-Type' of text/hml. Once reflected, the response i...

6.1CVSS6.6AI score0.37246EPSS
Exploits3References6
NVD
NVD
added 4 days ago9 views

CVE-2026-53913

Improper Authentication, Missing Authentication for Critical Function, Not Failing Securely 'Failing Open' vulnerability in Apache Camel Keycloak Component. The KeycloakSecurityPolicy of camel-keycloak guards a route by running KeycloakSecurityProcessor.beforeProcess, which performs three checks ...

9.8CVSS0.00619EPSS
Exploits0References1
NVD
NVD
added 4 days ago6 views

CVE-2026-46455

Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component. The camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks... with only the subject-exists check and the realm-URL issuer check. Keycloak's...

9.8CVSS0.00411EPSS
Exploits0References2
EUVD
EUVD
added 4 days ago9 views

EUVD-2026-41847

Improper Authentication, Missing Authentication for Critical Function, Not Failing Securely 'Failing Open' vulnerability in Apache Camel Keycloak Component. The KeycloakSecurityPolicy of camel-keycloak guards a route by running KeycloakSecurityProcessor.beforeProcess, which performs three checks ...

6.4AI score0.00619EPSS
Exploits0References1
Cvelist
Cvelist
added 4 days ago32 views

CVE-2026-53913 Apache Camel Keycloak: KeycloakSecurityPolicy verifies the bearer access token only inside its role and permission checks, so in the default configuration the token is never verified and any non-null bearer value is accepted

Improper Authentication, Missing Authentication for Critical Function, Not Failing Securely 'Failing Open' vulnerability in Apache Camel Keycloak Component. The KeycloakSecurityPolicy of camel-keycloak guards a route by running KeycloakSecurityProcessor.beforeProcess, which performs three checks ...

0.00619EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 4 days ago5 views

CVE-2026-53913

Improper Authentication, Missing Authentication for Critical Function, Not Failing Securely 'Failing Open' vulnerability in Apache Camel Keycloak Component. The KeycloakSecurityPolicy of camel-keycloak guards a route by running KeycloakSecurityProcessor.beforeProcess, which performs three checks ...

6.4AI score0.00619EPSS
Exploits0References2Affected Software1
CVE
CVE
added 4 days ago18 views

CVE-2026-53913

CVE-2026-53913 – Apache Camel Keycloak (camel-keycloak) : The vulnerability arises because the KeycloakSecurityPolicy performs token verification only inside role and permission checks. By default, requiredRoles and requiredPermissions are empty, causing these checks to be skipped while the polic...

9.8CVSS6.4AI score0.00619EPSS
Exploits0References1Affected Software1
EUVD
EUVD
added 4 days ago4 views

EUVD-2026-41829

Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component. The camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks... with only the subject-exists check and the realm-URL issuer check. Keycloak's...

9.8CVSS6AI score0.00411EPSS
Exploits0References1
Cvelist
Cvelist
added 4 days ago28 views

CVE-2026-46455 Apache Camel: Camel-Keycloak: The access-token validity window is not verified because the IS_ACTIVE check is missing from the TokenVerifier, allowing expired tokens to be accepted

Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component. The camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks... with only the subject-exists check and the realm-URL issuer check. Keycloak's...

0.00411EPSS
Exploits0References1
CVE
CVE
added 4 days ago12 views

CVE-2026-46455

CVE-2026-46455 affects Apache Camel with the camel-keycloak component. The security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks(...) that only enforces subject and issuer, but omits the default IS_ACTIVE check. Consequently, the verifie...

9.8CVSS6AI score0.00411EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKB
added 4 days ago7 views

CVE-2026-46455

Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component. The camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks... with only the subject-exists check and the realm-URL issuer check. Keycloak's...

6AI score0.00411EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 4 days ago8 views

PT-2026-55908

Name of the Vulnerable Software and Affected Versions Apache Camel versions 4.15.0 through 4.18.2 Apache Camel versions 4.19.0 through 4.20.9 Description Improper authentication and a failure to fail securely in the Apache Camel Keycloak component allow unauthenticated access to protected routes...

9.8CVSS6.3AI score0.00619EPSS
Exploits0References3
NVD
NVD
added 5 days ago10 views

CVE-2026-14781

A flaw exists in the org.keycloak.broker.oidc package where the OIDC broker incorrectly synchronizes the emailverified claim. When an OIDC identity provider is configured with trustEmail=true and the userinfo endpoint is enabled, Keycloak retrieves the email address from the userinfo response but...

4.8CVSS0.00196EPSS
Exploits0References2
CVE
CVE
added 5 days ago17 views

CVE-2026-14781

A flaw in Keycloak’s OIDC broker (org.keycloak.broker.oidc) causes incorrect synchronization of the email_verified claim. When trustEmail=true and the userinfo endpoint is enabled, Keycloak uses email from userinfo but takes email_verified from the id_token without validating that it corresponds ...

4.8CVSS6.1AI score0.00196EPSS
Exploits0References2
Rows per page
Query Builder