Improper Isolation or Compartmentalization

Overview Affected versions of this package are vulnerable to Improper Isolation or Compartmentalization through improper handling of single-use entries in the SingleUseObjectProvider a global key-value store. An attacker can gain unauthorized access or compromise accounts by replaying consumed...

Access Control Bypass

Overview org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Access Control Bypass due to the DefaultAttributes attribute filtering in the user profile...

EUVD-2026-3691

A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. Thi...

Keycloak has debug default bind address

A vulnerability exists in Keycloak's server distribution where enabling debug mode --debug insecurely defaults to binding the Java Debug Wire Protocol JDWP port to all network interfaces 0.0.0.0. This exposes the debug port to the local network, allowing an attacker on the same network segment to...

keycloak-server: Debug default bind address

A vulnerability exists in Keycloak's server distribution where enabling debug mode --debug insecurely defaults to binding the Java Debug Wire Protocol JDWP port to all network interfaces 0.0.0.0. This exposes the debug port to the local network, allowing an attacker on the same network segment to...

CVE-2025-11538 Keycloak-server: debug default bind address

A vulnerability exists in Keycloak's server distribution where enabling debug mode --debug insecurely defaults to binding the Java Debug Wire Protocol JDWP port to all network interfaces 0.0.0.0. This exposes the debug port to the local network, allowing an attacker on the same network segment to...

CVE-2025-11538

Keycloak is affected by CVE-2025-11538 in versions prior to 26.4.4 where enabling debug mode (--debug) binds the JDWP port to all interfaces (0.0.0.0), exposing the debug port on the local network. This potentially allows a local-network attacker to attach a remote debugger and achieve remote cod...

CVE-2025-11538 Keycloak-server: debug default bind address

A vulnerability exists in Keycloak's server distribution where enabling debug mode --debug insecurely defaults to binding the Java Debug Wire Protocol JDWP port to all network interfaces 0.0.0.0. This exposes the debug port to the local network, allowing an attacker on the same network segment to...

EUVD-2024-3365

Malicious code in bioql PyPI...

GHSA-M4J5-5X4R-2XP9 Keycloak SMTP Inject Vulnerability

Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters limited local part of the email, so the attack is limited to very shorts emails subject and little data, the example is 60 chars. This...

CRLF Injection

Overview org.keycloak:keycloak-server-spi-private is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to CRLF Injection during the e-mail registration. An attacker can cause the system to send unsolicited...

Denial Of Service (DoS)

org.keycloak, keycloak-quarkus-server is vulnerable to Denial Of Service DoS. The vulnerability is due to insufficient input validation in the processing of security headers, allowing improperly formatted input such as newlines to disrupt server operations...

CVE-2024-11734

CVE-2024-11734 describes a denial-of-service in Keycloak where an admin changing realm security headers could inject newlines, causing the server to write to a terminated request and fail it. The issue affects Keycloak releases prior to 26.0.8 (per Nessus/NVD references) and is related to DoS via...

CVE-2024-11734 Org.keycloak:keycloak-quarkus-server: denial of service in keycloak server via security headers

A denial of service vulnerability was found in Keycloak that could allow an administrative user with the right to change realm settings to disrupt the service. This action is done by modifying any of the security headers and inserting newlines, which causes the Keycloak server to write to a reque...

org.keycloak:keycloak-quarkus-server: Denial of Service in Keycloak Server via Security Headers

A denial of service vulnerability was found in Keycloak that could allow an administrative user with the right to change realm settings to disrupt the service. This action is done by modifying any of the security headers and inserting newlines, which causes the Keycloak server to write to a reque...

org.keycloak:keycloak-quarkus-server: Unrestricted admin use of system and environment variables

A vulnerability was found in Keycloak. Admin users may have to access sensitive server environment variables and system properties through user-configurable URLs. When configuring backchannel logout URLs or admin URLs, admin users can include placeholders like $env.VARNAME or $PROPNAME. The serve...

Malicious code in keycloak-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 3df989aa26dccceca3917c9b3454427df4f54e9c104fbc080e913d30af3e66b2 The OpenSSF Package Analysis project identified 'keycloak-server' @ 0.0.2 npm as malicious. It is considered malicious because: - The package...

MAL-2024-11770 Malicious code in keycloak-server (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 3df989aa26dccceca3917c9b3454427df4f54e9c104fbc080e913d30af3e66b2 The OpenSSF Package Analysis project identified 'keycloak-server' @ 0.0.2 npm as malicious. It is considered malicious because: - The package...

HTTP Request Smuggling

Keycloak Server is vulnerable to HTTP Request Smuggling. The vulnerability is due to improper handling of proxy headers, allowing attackers to exploit non-IP values, leading to costly DNS resolution operations that can overload IO threads...

CVE-2024-9666

A vulnerability was found in the Keycloak Server. The Keycloak Server is vulnerable to a denial of service DoS attack due to improper handling of proxy headers. When Keycloak is configured to accept incoming proxy headers, it may accept non-IP values, such as obfuscated identifiers, without prope...