Lucene search
K

4311 matches found

Nuclei
Nuclei
added yesterday80 views

Keycloak - SAML Core Package Signature Validation Flaw

A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Referen...

7.7CVSS6.6AI score0.0203EPSS
Exploits0References5
Nuclei
Nuclei
added yesterday95 views

Keycloak - Open Redirect

A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially...

6.1CVSS6.1AI score0.01959EPSS
Exploits0References2
Nuclei
Nuclei
added yesterday154 views

Keycloak < 24.0.5 - Broken Access Control

A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise. id: CVE-2024-3656 info...

8.1CVSS6.9AI score0.02837EPSS
Exploits0References5
Nuclei
Nuclei
added yesterday129 views

KeyCloak - Information Exposure

A flaw was found in keycloak in versions prior to 13.0.0. The client registration endpoint allows fetching information about PUBLIC clients like client secret without authentication which could be an issue if the same PUBLIC client changed to CONFIDENTIAL later. The highest threat from this...

6.5CVSS6.6AI score0.17943EPSS
Exploits0References4
Nuclei
Nuclei
added yesterday85 views

Keycloak <= 12.0.1 - request_uri Blind Server-Side Request Forgery (SSRF)

Keycloak 12.0.1 and below allows an attacker to force the server to request an unverified URL using the OIDC parameter requesturi. This allows an attacker to execute a server-side request forgery SSRF attack. id: CVE-2020-10770 info: name: Keycloak = 12.0.1 - requesturi Blind Server-Side Request...

5.3CVSS6.5AI score0.69724EPSS
Exploits5References5
Nuclei
Nuclei
added 2 days ago277 views

Keycloak 10.0.0 - 18.0.0 - Cross-Site Scripting

Keycloak 10.0.0 to 18.0.0 contains a cross-site scripting vulnerability via the client-registrations endpoint. On a POST request, the application does not sanitize an unknown attribute name before including it in the error response with a 'Content-Type' of text/hml. Once reflected, the response i...

6.1CVSS6.6AI score0.37246EPSS
Exploits3References6
Chainguard
Chainguard
added 6 days ago7 views

GHSA-396Q-4VC8-28X9 vulnerabilities

Vulnerabilities for packages: keycloak...

5.9AI score
Exploits0
Chainguard
Chainguard
added 6 days ago8 views

CVE-2026-49336 vulnerabilities

Vulnerabilities for packages: keycloak...

6.9CVSS5.9AI score0.0065EPSS
Exploits0
Wolfi
Wolfi
added 6 days ago6 views

CVE-2026-49336 vulnerabilities

Vulnerabilities for packages: keycloak...

6.9CVSS5.9AI score0.0065EPSS
Exploits0
Wolfi
Wolfi
added 6 days ago7 views

GHSA-396Q-4VC8-28X9 vulnerabilities

Vulnerabilities for packages: keycloak...

5.9AI score
Exploits0
Chainguard
Chainguard
added last week7 views

GHSA-MX76-R943-RF8G vulnerabilities

Vulnerabilities for packages: bouncycastle-fips, guacamole-client, geoserver, wazuh-indexer, keycloak-fips, opensearch...

6.1AI score
Exploits0
Chainguard
Chainguard
added last week6 views

CVE-2026-8149 vulnerabilities

Vulnerabilities for packages: bouncycastle-fips, guacamole-client, geoserver, wazuh-indexer, keycloak-fips, opensearch...

5.1CVSS6.1AI score0.00158EPSS
Exploits0
Veracode
Veracode
added 2026/07/07 8:44 a.m.6 views

Improper Authorization

Keycloak is vulnerable to improper authorization. The vulnerability is due to missing validation that the target user belongs to the caller's realm in certain user read endpoints, which allows a tenant realm administrator to access profile information, client roles, and realm roles of users acros...

6AI score
Exploits0References2Affected Software1
NVD
NVD
added 2026/07/06 9:16 a.m.9 views

CVE-2026-53913

Improper Authentication, Missing Authentication for Critical Function, Not Failing Securely 'Failing Open' vulnerability in Apache Camel Keycloak Component. The KeycloakSecurityPolicy of camel-keycloak guards a route by running KeycloakSecurityProcessor.beforeProcess, which performs three checks ...

9.8CVSS0.00619EPSS
Exploits0References1
NVD
NVD
added 2026/07/06 9:16 a.m.9 views

CVE-2026-46455

Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component. The camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks... with only the subject-exists check and the realm-URL issuer check. Keycloak's...

9.8CVSS0.00411EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/07/06 8:12 a.m.8 views

CVE-2026-53913

Improper Authentication, Missing Authentication for Critical Function, Not Failing Securely 'Failing Open' vulnerability in Apache Camel Keycloak Component. The KeycloakSecurityPolicy of camel-keycloak guards a route by running KeycloakSecurityProcessor.beforeProcess, which performs three checks ...

6.4AI score0.00619EPSS
Exploits0References2Affected Software1
EUVD
EUVD
added 2026/07/06 8:12 a.m.10 views

EUVD-2026-41847

Improper Authentication, Missing Authentication for Critical Function, Not Failing Securely 'Failing Open' vulnerability in Apache Camel Keycloak Component. The KeycloakSecurityPolicy of camel-keycloak guards a route by running KeycloakSecurityProcessor.beforeProcess, which performs three checks ...

6.4AI score0.00619EPSS
Exploits0References1
CVE
CVE
added 2026/07/06 8:12 a.m.18 views

CVE-2026-53913

CVE-2026-53913 – Apache Camel Keycloak (camel-keycloak) : The vulnerability arises because the KeycloakSecurityPolicy performs token verification only inside role and permission checks. By default, requiredRoles and requiredPermissions are empty, causing these checks to be skipped while the polic...

9.8CVSS6.4AI score0.00619EPSS
Exploits0References1Affected Software1
Cvelist
Cvelist
added 2026/07/06 8:12 a.m.34 views

CVE-2026-53913 Apache Camel Keycloak: KeycloakSecurityPolicy verifies the bearer access token only inside its role and permission checks, so in the default configuration the token is never verified and any non-null bearer value is accepted

Improper Authentication, Missing Authentication for Critical Function, Not Failing Securely 'Failing Open' vulnerability in Apache Camel Keycloak Component. The KeycloakSecurityPolicy of camel-keycloak guards a route by running KeycloakSecurityProcessor.beforeProcess, which performs three checks ...

0.00619EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/06 7:56 a.m.30 views

CVE-2026-46455 Apache Camel: Camel-Keycloak: The access-token validity window is not verified because the IS_ACTIVE check is missing from the TokenVerifier, allowing expired tokens to be accepted

Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component. The camel-keycloak security helper KeycloakSecurityHelper.parseAndVerifyAccessToken builds a Keycloak TokenVerifier using withChecks... with only the subject-exists check and the realm-URL issuer check. Keycloak's...

0.00411EPSS
Exploits1References1
Rows per page
Query Builder