org.keycloak:keycloak-services (maven) security advisories

MEDIUM 6.4

Maven

CVE-2026-9087

Keycloak: Insufficient verification proof scoping enables identity provider account linking attack and account compromise

May 20, 2026

MEDIUM 5.4

Maven

CVE-2026-8922

Keycloak: Revoked Tokens Can Remain Active When Both Realm-Level and Client-Level `notBefore` Revocation Policies are Configured

May 19, 2026

MEDIUM 4.3

Maven

CVE-2026-8830

Keycloak: Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation

May 19, 2026

MEDIUM 5.4

Maven

CVE-2026-7500

Keycloak has a Forced Browsing issue

Apr 30, 2026

HIGH 8.1

Maven

CVE-2026-7504

Keycloak: Open redirect when using wildcard valid redirect URIs in Keycloak

May 19, 2026

MEDIUM 6.8

Maven

CVE-2026-37982

Keycloak: Unauthorized account takeover via WebAuthn token replay

May 19, 2026

MEDIUM 6.5

Maven

CVE-2026-37979

Keycloak: Information disclosure via OIDC token introspection endpoint audience bypass

May 19, 2026

MEDIUM 4.9

Maven

CVE-2026-37978

Keycloak: Information Disclosure via evaluate-scopes Admin API

May 19, 2026

HIGH 7.1

Maven

CVE-2026-7571

Keycloak: Access token disclosure and implicit flow bypass via forged client data

May 19, 2026

HIGH 7.5

Maven

CVE-2026-7507

Keycloak: Session fixation in OIDC login flow that can lead to account takeover

May 19, 2026

HIGH 8.1

Maven

CVE-2026-2603

Keycloak: Unauthorized authentication via disabled SAML Identity Provider

Mar 18, 2026

MEDIUM 6.9

Maven

CVE-2026-37980

Keycloak: Arbitrary code execution via Stored Cross-Site Scripting (XSS) in organization selection login page

Apr 14, 2026

MEDIUM 4.3

Maven

CVE-2026-4628

Keycloak has Improper Access Control that allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false

Mar 23, 2026

LOW 3.1

Maven

CVE-2026-4874

Keycloak Server-Side Request Forgery via OIDC token endpoint manipulation

Mar 26, 2026

LOW 3.7

Maven

CVE-2026-4633

Keycloak's identity-first login flow exposes user information

Mar 23, 2026

HIGH 7.7

Maven

CVE-2026-2092

Keycloak: Unauthorized access via improper validation of encrypted SAML assertions

Mar 18, 2026

LOW 3.7

Maven

CVE-2026-37977

Keycloak vulnerable to information disclosure via CORS header injection due to unvalidated JWT azp claim

Apr 6, 2026

MEDIUM 6.5

Maven

CVE-2026-3121

Keycloak: manage-clients permission escalates to full realm admin access

Mar 26, 2026

HIGH 7.3

Maven

CVE-2026-3872

Keycloak: Redirect URI validation bypass via ..;/ path traversal in OIDC auth endpoint

Apr 2, 2026

MEDIUM 5.3

Maven

CVE-2026-4325

Keycloak: Replay of action tokens via improper handling of single-use entries

Apr 2, 2026

HIGH 7.4

Maven

CVE-2026-4282

Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw

Apr 2, 2026

HIGH 8.1

Maven

CVE-2026-4636

Keycloak: UMA Policy Resource Injection Allows Unauthorized Cross-User Permission Grants

Apr 2, 2026

HIGH 7.5

Maven

CVE-2026-4634

Keycloak: Application-Level DoS via Scope Processing

Apr 2, 2026

MEDIUM 4.3

Maven

CVE-2026-3190

Keycloak: Missing Role Enforcement on UMA 2.0 Permission Ticket Endpoint Leads to Information Disclosure

Mar 26, 2026

LOW 2.7

Maven

CVE-2025-14083

Keycloak Admin REST API exposes backend schema and rules

Jan 21, 2026

LOW 2.7

Maven

CVE-2025-14082

Keycloak Admin REST (Representational State Transfer) API does not properly enforce permissions

Dec 10, 2025

LOW 2.7

Maven

CVE-2026-3911

Keycloak: Information disclosure of disabled user attributes via administrative endpoint

Mar 11, 2026

MEDIUM 4.2

Maven

CVE-2026-3429

Keycloak: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API

Mar 11, 2026

LOW 3.1

Maven

CVE-2026-1035

Keycloak does not validate and update refresh token usage atomically

Jan 21, 2026

MEDIUM 5.3

Maven

CVE-2026-2575

Keycloak: Denial of Service due to excessive SAMLRequest decompression

Mar 18, 2026

HIGH 8.8

Maven

CVE-2021-4133

Improper Authorization in Keycloak

Jan 6, 2022

MEDIUM 5.4

Maven

CVE-2022-1274

HTML Injection in Keycloak Admin REST API

Mar 1, 2023

CRITICAL 9.8

Maven

CVE-2022-1245

Keycloak vulnerable to privilege escalation on Token Exchange feature

Apr 26, 2022

HIGH 8.1

Maven

CVE-2026-3009

Keycloak allows authentication using an Identity Provider (IdP) even after it has been disabled by an administrator

Mar 5, 2026

LOW 3.8

Maven

CVE-2026-2733

Keycloak: Missing Check on Disabled Client for Docker Registry Protocol

Feb 19, 2026

LOW 3.1

Maven

CVE-2026-1190

Keycloak's missing timestamp validation allows attackers to extend SAML response validity periods

Jan 26, 2026

LOW 3.1

Maven

CVE-2025-12150

Keycloak REST Services has a WebAuthn Attestation Statement Verification Bypass

Feb 27, 2026

MEDIUM 5.4

Maven

CVE-2025-11429

Keycloak does not invalidate sessions when "Remember Me" is disabled

Oct 23, 2025

MEDIUM 5.4

Maven

CVE-2025-12110

Keycloak does not invalidate offline sessions when the offline_access scope is removed

Oct 23, 2025

MEDIUM 5.4

Maven

CVE-2025-14778

Keycloak Affected by Broken Access Control Vulnerability in the UserManagedPermissionService

Feb 9, 2026

HIGH 8.8

Maven

CVE-2026-1486

Keycloak fails to verify if an Identity Provider (IdP) is enabled before issuing tokens

Feb 9, 2026

LOW 2.7

Maven

CVE-2025-13881

Keycloak Admin API allows an administrator with limited privileges to retrieve sensitive custom attributes

Feb 2, 2026

HIGH 8.1

Maven

CVE-2026-1529

Keycloak affected by improper invitation token validation

Feb 9, 2026

MEDIUM 6.5

Maven

CVE-2025-14559

Keycloak services allows the issuance of access and refresh tokens for disabled users

Jan 21, 2026

MEDIUM 6.0

Maven

CVE-2023-6717

Keycloak Cross-site Scripting (XSS) via assertion consumer service URL in SAML POST-binding flow

Apr 17, 2024

MEDIUM 6.1

Maven

CVE-2024-8883

Keycloak has Vulnerable Redirect URI Validation Results in Open Redirect

Oct 14, 2024

MEDIUM 6.5

Maven

CVE-2024-10270

org.keycloak:keycloak-services has Inefficient Regular Expression Complexity

Nov 25, 2024

HIGH 7.5

Maven

CVE-2024-4540

Keycloak exposes sensitive information in Pushed Authorization Requests (PAR)

Jun 10, 2024

HIGH 8.7

Maven

CVE-2023-0264

Keycloak vulnerable to user impersonation via stolen UUID code

Mar 2, 2023

HIGH 8.2

Maven

CVE-2025-3501

Keycloak hostname verification

Apr 30, 2025

LOW 3.4

Maven

CVE-2023-0657

Keycloak vulnerable to impersonation via logout token exchange

Apr 17, 2024

HIGH 8.1

Maven

CVE-2024-3656

Keycloak's admin API allows low privilege users to use administrative functions

Jun 11, 2024

HIGH 7.4

Maven

CVE-2024-1249

Keycloak's unvalidated cross-origin messages in checkLoginIframe leads to DDoS

Apr 17, 2024

MEDIUM 5.4

Maven

CVE-2023-6544

Keycloak Authorization Bypass vulnerability

Apr 17, 2024

HIGH 8.1

Maven

CVE-2024-1132

Keycloak path traversal vulnerability in redirection validation

Apr 17, 2024

MEDIUM 6.5

Maven

CVE-2023-6787

Keycloak vulnerable to session hijacking via re-authentication

Apr 17, 2024

MEDIUM 5.0

Maven

CVE-2023-3597

Keycloak secondary factor bypass in step-up authentication

Apr 17, 2024

MEDIUM 6.0

Maven

CVE-2025-12390

Keycloak vulnerable to session takeovers due to reuse of session identifiers

Oct 28, 2025

MEDIUM 5.4

Maven

CVE-2025-3910

Keycloak vulnerable to two factor authentication bypass

Apr 30, 2025

HIGH 7.1

Maven

CVE-2024-2419

Keycloak path traversal vulnerability in the redirect validation

Apr 17, 2024

HIGH 7.1

Maven

CVE-2024-7341

Keycloak has session fixation in Elytron SAML adapters

Oct 14, 2024

MEDIUM 5.3

Maven

CVE-2025-8419

Keycloak SMTP Inject Vulnerability

Sep 17, 2025

MEDIUM 6.5

Maven

GHSA-qj5r-2r5p-phc7

Duplicate Advisory: Keycloak-services SMTP Inject Vulnerability

Aug 6, 2025

MEDIUM 5.4

Maven

CVE-2025-7365

Keycloak phishing attack via email verification step in first login flow

Jul 30, 2025

MEDIUM 5.4

Maven

GHSA-gj52-35xm-gxjh

Duplicate Advisory: Keycloak phishing attack via email verification step in first login flow

Jul 10, 2025

MEDIUM 6.5

Maven

CVE-2025-7784

Keycloak Privilege Escalation Vulnerability in Admin Console (FGAPv2 Enabled)

Jul 30, 2025

MEDIUM 6.5

Maven

GHSA-83j7-mhw9-388w

Duplicate Advisory: Keycloak Privilege Escalation Vulnerability in Admin Console (FGAPv2 Enabled)

Jul 18, 2025

HIGH 8.2

Maven

GHSA-r934-w73g-v4p8

Duplicate Advisory: Keycloak hostname verification

Apr 29, 2025

MEDIUM 5.4

Maven

GHSA-fx44-2wx5-5fvp

Duplicate Advisory: Keycloak vulnerable to two factor authentication bypass

Apr 29, 2025

MEDIUM 4.9

Maven

CVE-2025-2559

Keycloak Denial of Service (DoS) Vulnerability via JWT Token Cache

Mar 25, 2025

MEDIUM 5.4

Maven

GHSA-rq4w-cjrr-h8w8

Duplicate Advisory: Keycloak allows Incorrect Assignment of an Organization to a User

Feb 17, 2025

MEDIUM 5.4

Maven

CVE-2025-1391

Improper Authorization in Keycloak Organization Mapper Allows Unauthorized Organization Claims

Mar 10, 2025

LOW 3.7

Maven

CVE-2024-1722

Keycloak Denial of Service via account lockout

Jun 12, 2024

MEDIUM 6.8

Maven

GHSA-vvf8-2h68-9475

Duplicate Advisory: Keycloak Open Redirect vulnerability

Sep 19, 2024

LOW 3.7

Maven

CVE-2021-3754

Keycloak's improper input validation allows using email as username

Jun 12, 2024

HIGH 7.1

Maven

GHSA-j76j-rqwj-jmvv

Duplicate Advisory: Keycloak Session Fixation vulnerability

Sep 9, 2024

MEDIUM 6.5

Maven

GHSA-8wm9-24qg-m5qj

Duplicate Advisory: Keycloak has a brute force login protection bypass

Sep 3, 2024

MEDIUM 4.6

Maven

GHSA-5968-qw33-h47j

Duplicate Advisory: Keycloak vulnerable to reflected XSS via wildcard in OIDC redirect_uri

Dec 15, 2023

MEDIUM 6.5

Maven

GHSA-j3x3-r585-4qhg

Duplicate Advisory: org.keycloak:keycloak-services has Inefficient Regular Expression Complexity

Nov 25, 2024

UNKNOWN

Maven

CVE-2022-2232

Keycloak vulnerable to LDAP Injection on UsernameForm Login

Nov 29, 2023

HIGH 7.5

Maven

GHSA-4vrx-8phj-x3mg

Duplicate Advisory: Keycloak exposes sensitive information in Pushed Authorization Requests (PAR)

Jun 3, 2024

UNKNOWN

Maven

GHSA-mwm4-5qwr-g9pf

Keycloak is vulnerable to IDN homograph attack

Apr 28, 2022

MEDIUM 6.5

Maven

CVE-2024-4629

Keycloak Services has a potential bypass of brute force protection

Sep 17, 2024

MEDIUM 5.3

Maven

CVE-2023-6484

Keycloak vulnerable to log Injection during WebAuthn authentication or registration

Apr 17, 2024

MEDIUM 4.8

Maven

CVE-2020-10776

Cross-site Scripting in keycloak

Feb 9, 2022

MEDIUM 6.1

Maven

CVE-2014-3652

JBoss KeyCloak Open Redirect

May 17, 2022

HIGH 7.1

Maven

CVE-2023-2422

Keycloak vulnerable to Improper Client Certificate Validation for OAuth/OpenID clients

Jun 30, 2023

HIGH 8.8

Maven

CVE-2014-3709

JBoss Keycloak CSRF Vulnerability

May 17, 2022

MEDIUM 4.6

Maven

CVE-2023-6134

Keycloak vulnerable to reflected XSS via wildcard in OIDC redirect_uri

Dec 18, 2023

MEDIUM 5.4

Maven

CVE-2018-10894

Keycloak Authentication Error

May 13, 2022

LOW 3.5

Maven

CVE-2023-2585

Client Spoofing within the Keycloak Device Authorisation Grant

Jun 30, 2023

CRITICAL 10.0

Maven

CVE-2022-4361

Keycloak vulnerable to cross-site scripting when validating URI-schemes on SAML and OIDC

Jun 30, 2023

HIGH 7.1

Maven

CVE-2023-6291

The redirect_uri validation logic allows for bypassing explicitly allowed hosts that would otherwise be restricted

Dec 21, 2023

MEDIUM 6.4

Maven

CVE-2022-1438

Keycloak vulnerable to Cross-site Scripting

Mar 1, 2023

MEDIUM 5.3

Maven

CVE-2021-3424

Keycloak is vulnerable to IDN homograph attack

Apr 28, 2022

MEDIUM 4.3

Maven

CVE-2014-3655

JBoss KeyCloak is vulnerable to soft token deletion via CSRF

May 17, 2022

org.keycloak:keycloak-services

Vulnerabilities

Keycloak: Insufficient verification proof scoping enables identity provider account linking attack and account compromise

Keycloak: Revoked Tokens Can Remain Active When Both Realm-Level and Client-Level `notBefore` Revocation Policies are Configured

Keycloak: Policy bypass during WebAuthn credential registration via client-side JavaScript manipulation

Keycloak has a Forced Browsing issue

Keycloak: Open redirect when using wildcard valid redirect URIs in Keycloak

Keycloak: Unauthorized account takeover via WebAuthn token replay

Keycloak: Information disclosure via OIDC token introspection endpoint audience bypass

Keycloak: Information Disclosure via evaluate-scopes Admin API

Keycloak: Access token disclosure and implicit flow bypass via forged client data

Keycloak: Session fixation in OIDC login flow that can lead to account takeover

Keycloak: Unauthorized authentication via disabled SAML Identity Provider

Keycloak: Arbitrary code execution via Stored Cross-Site Scripting (XSS) in organization selection login page

Keycloak has Improper Access Control that allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false

Keycloak Server-Side Request Forgery via OIDC token endpoint manipulation

Keycloak's identity-first login flow exposes user information

Keycloak: Unauthorized access via improper validation of encrypted SAML assertions

Keycloak vulnerable to information disclosure via CORS header injection due to unvalidated JWT azp claim

Keycloak: manage-clients permission escalates to full realm admin access

Keycloak: Redirect URI validation bypass via ..;/ path traversal in OIDC auth endpoint

Keycloak: Replay of action tokens via improper handling of single-use entries

Keycloak: Privilege escalation via forged authorization codes due to SingleUseObjectProvider isolation flaw

Keycloak: UMA Policy Resource Injection Allows Unauthorized Cross-User Permission Grants

Keycloak: Application-Level DoS via Scope Processing

Keycloak: Missing Role Enforcement on UMA 2.0 Permission Ticket Endpoint Leads to Information Disclosure

Keycloak Admin REST API exposes backend schema and rules

Keycloak Admin REST (Representational State Transfer) API does not properly enforce permissions

Keycloak: Information disclosure of disabled user attributes via administrative endpoint

Keycloak: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API

Keycloak does not validate and update refresh token usage atomically

Keycloak: Denial of Service due to excessive SAMLRequest decompression

Improper Authorization in Keycloak

HTML Injection in Keycloak Admin REST API

Keycloak vulnerable to privilege escalation on Token Exchange feature

Keycloak allows authentication using an Identity Provider (IdP) even after it has been disabled by an administrator

Keycloak: Missing Check on Disabled Client for Docker Registry Protocol

Keycloak's missing timestamp validation allows attackers to extend SAML response validity periods

Keycloak REST Services has a WebAuthn Attestation Statement Verification Bypass

Keycloak does not invalidate sessions when "Remember Me" is disabled

Keycloak does not invalidate offline sessions when the offline_access scope is removed

Keycloak Affected by Broken Access Control Vulnerability in the UserManagedPermissionService

Keycloak fails to verify if an Identity Provider (IdP) is enabled before issuing tokens

Keycloak Admin API allows an administrator with limited privileges to retrieve sensitive custom attributes

Keycloak affected by improper invitation token validation

Keycloak services allows the issuance of access and refresh tokens for disabled users

Keycloak Cross-site Scripting (XSS) via assertion consumer service URL in SAML POST-binding flow

Keycloak has Vulnerable Redirect URI Validation Results in Open Redirect

org.keycloak:keycloak-services has Inefficient Regular Expression Complexity

Keycloak exposes sensitive information in Pushed Authorization Requests (PAR)

Keycloak vulnerable to user impersonation via stolen UUID code

Keycloak hostname verification

Keycloak vulnerable to impersonation via logout token exchange

Keycloak's admin API allows low privilege users to use administrative functions

Keycloak's unvalidated cross-origin messages in checkLoginIframe leads to DDoS

Keycloak Authorization Bypass vulnerability

Keycloak path traversal vulnerability in redirection validation

Keycloak vulnerable to session hijacking via re-authentication

Keycloak secondary factor bypass in step-up authentication

Keycloak vulnerable to session takeovers due to reuse of session identifiers

Keycloak vulnerable to two factor authentication bypass

Keycloak path traversal vulnerability in the redirect validation

Keycloak has session fixation in Elytron SAML adapters

Keycloak SMTP Inject Vulnerability

Duplicate Advisory: Keycloak-services SMTP Inject Vulnerability

Keycloak phishing attack via email verification step in first login flow

Duplicate Advisory: Keycloak phishing attack via email verification step in first login flow

Keycloak Privilege Escalation Vulnerability in Admin Console (FGAPv2 Enabled)

Duplicate Advisory: Keycloak Privilege Escalation Vulnerability in Admin Console (FGAPv2 Enabled)

Duplicate Advisory: Keycloak hostname verification

Duplicate Advisory: Keycloak vulnerable to two factor authentication bypass

Keycloak Denial of Service (DoS) Vulnerability via JWT Token Cache

Duplicate Advisory: Keycloak allows Incorrect Assignment of an Organization to a User

Improper Authorization in Keycloak Organization Mapper Allows Unauthorized Organization Claims

Keycloak Denial of Service via account lockout

Duplicate Advisory: Keycloak Open Redirect vulnerability

Keycloak's improper input validation allows using email as username

Duplicate Advisory: Keycloak Session Fixation vulnerability

Duplicate Advisory: Keycloak has a brute force login protection bypass

Duplicate Advisory: Keycloak vulnerable to reflected XSS via wildcard in OIDC redirect_uri