Lucene search
K

1106 matches found

NVD
NVD
added yesterday5 views

CVE-2026-12388

A flaw was found in the Identity Provider IdP mapper component of Keycloak, which is used to manage how user information from external services is mapped to Keycloak users. An administrator with limited permissions to manage identity providers can exploit this flaw by creating a "Hardcoded Role"...

6.5CVSS
Exploits0References2
Cvelist
Cvelist
added yesterday12 views

CVE-2026-12388 Keycloak-broker: keycloak: privilege escalation to realm administrator via improper authorization in identity provider mapper

A flaw was found in the Identity Provider IdP mapper component of Keycloak, which is used to manage how user information from external services is mapped to Keycloak users. An administrator with limited permissions to manage identity providers can exploit this flaw by creating a "Hardcoded Role"...

6.5CVSS
Exploits0References2
CVE
CVE
added yesterday7 views

CVE-2026-12388

CVE-2026-12388 affects Keycloak’s Identity Provider (IdP) mapper component. A restricted administrator can abuse a misconfigured or specifically a Hardcoded Role mapper to assign high-privilege roles (e.g., realm-admin) to themselves or other users, bypassing security checks and gaining full cont...

6.5CVSS5.8AI score
Exploits0References2
CVE
CVE
added yesterday7 views

CVE-2026-4629

CVE-2026-4629 affects Keycloak. A highly privileged user with the ability to manage clients can inject a hardcoded role mapper into any client, bypassing scope restrictions and injecting the realm-admin role into generated tokens, yielding full administrative access to the realm. The vulnerabilit...

6.5CVSS5.7AI score
Exploits0References2
EUVD
EUVD
added yesterday6 views

EUVD-2026-40301

A flaw was found in the Identity Provider IdP mapper component of Keycloak, which is used to manage how user information from external services is mapped to Keycloak users. An administrator with limited permissions to manage identity providers can exploit this flaw by creating a "Hardcoded Role"...

6.5CVSS5.8AI score
Exploits0References2
EUVD
EUVD
added yesterday5 views

EUVD-2026-40300

A flaw was found in Keycloak. A highly privileged user with manage-clients permission can exploit this vulnerability by injecting a hardcoded role mapper into any client. This action allows the user to bypass existing scope restrictions and inject the realm-admin role into generated tokens,...

6.5CVSS5.7AI score
Exploits0References2
RedhatCVE
RedhatCVE
added yesterday4 views

CVE-2026-12388

A flaw was found in the Identity Provider IdP mapper component of Keycloak, which is used to manage how user information from external services is mapped to Keycloak users. An administrator with limited permissions to manage identity providers can exploit this flaw by creating a "Hardcoded Role"...

6.5CVSS5.6AI score
Exploits0References3
NVD
NVD
added 2 days ago7 views

CVE-2026-55957

Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the correct password. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.4, from 10.1.0-M1...

7.3CVSS0.00213EPSS
Exploits0References2
Cvelist
Cvelist
added 2 days ago25 views

CVE-2026-55957 Apache Tomcat: Authentication bypass with JNDIRealm and GSSAPI authenticated bind

Missing Critical Step in Authentication vulnerability in Apache Tomcat when the JNDIRealm was configured to authenticate binds using GSSAPI allowed attackers to authenticate without provided the correct password. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.4, from 10.1.0-M1...

0.00213EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 6 days ago7 views

CVE-2026-53440

A flaw was found in Jenkins. This vulnerability allows a remote attacker to perform phishing attacks. The 'Delegate to servlet container' security realm does not properly validate the 'from' parameter, which can be manipulated to redirect users to an attacker-controlled domain after they log in...

4.3CVSS5.9AI score0.00239EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 6 days ago6 views

keycloak: Keycloak: Privilege escalation via improper scope mapping enforcement

A flaw was found in Keycloak's Fine-Grained Admin Permissions FGAPv2 feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security...

7.3CVSS5.8AI score0.00292EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 6 days ago6 views

keycloak: Group-Admin Escalation to Realm-Admin

A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 FGAPv2 is enabled, an attacker wi...

7.7CVSS5.8AI score0.00275EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 6 days ago6 views

keycloak: Keycloak: Information disclosure through arbitrary filesystem path probing

A flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining...

4.9CVSS5.9AI score0.00495EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 6 days ago4 views

CVE-2026-53001

A flaw was identified in the Linux kernel's netfilter xtables component. This vulnerability allowed certain network filtering rules, specifically those involving xtmac, xtowner, xtphysdev, and xtrealm matches, to be applied outside of their intended internet protocol IPv4 and IPv6 contexts. This...

5.5CVSS5.8AI score0.00176EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 6 days ago5 views

keycloak: Keycloak: Privilege escalation via improper scope mapping enforcement

A flaw was found in Keycloak's Fine-Grained Admin Permissions FGAPv2 feature. An administrator with limited client management permissions can exploit this vulnerability to assign any realm role, including highly privileged roles, to a client's scope mapping. This bypasses intended security...

7.3CVSS5.7AI score0.00292EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 6 days ago4 views

keycloak: Group-Admin Escalation to Realm-Admin

A flaw was found in Keycloak. A missing authorization check in the GroupResource.addChild endpoint within the Admin REST API allows an authenticated user with limited administrative privileges to reparent any existing group. When Fine-Grained Admin Permissions v2 FGAPv2 is enabled, an attacker wi...

7.7CVSS5.8AI score0.00275EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 6 days ago5 views

keycloak: Keycloak: Information disclosure through arbitrary filesystem path probing

A flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining...

4.9CVSS5.9AI score0.00495EPSS
Exploits0References4
RedHat Linux
RedHat Linux
added 6 days ago5 views

org.keycloak/keycloak-services: keycloak: org.keycloak.protocol.oidc: Security flaw in org.keycloak/keycloak-services

A flaw was found in Keycloak. When both realm-level and client-level notBefore revocation policies are configured, Keycloak's OpenID Connect OIDC Introspection feature fails to properly honor the realm-level policy. This allows tokens that should have been revoked to remain active, potentially...

5.4CVSS5.7AI score0.00281EPSS
Exploits0References4
NVD
NVD
added 6 days ago8 views

CVE-2026-9083

A flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining...

4.9CVSS0.00495EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 6 days ago6 views

CVE-2026-9083

A flaw was found in Keycloak. A realm administrator with the "manage-realm" role can exploit this vulnerability by submitting an arbitrary filesystem path as a keystore parameter when creating a key provider component. This allows the administrator to probe arbitrary filesystem paths, determining...

4.9CVSS5.9AI score0.00495EPSS
Exploits0References7
Rows per page
Query Builder