Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.keycloak/keycloak-parent@15.0.0

Type maven

Namespace org.keycloak

Name keycloak-parent

Version 15.0.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version null

Latest_non_vulnerable_version null

Affected_by_vulnerabilities

url VCID-3jpe-awam-wqdz

vulnerability_id VCID-3jpe-awam-wqdz

summary

Keycloak has Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications.

references

reference_url

https://access.redhat.com/errata/RHSA-2026:3947

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-08T15:54:59Z/

url

https://access.redhat.com/errata/RHSA-2026:3947

reference_url

https://access.redhat.com/errata/RHSA-2026:3948

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-08T15:54:59Z/

url

https://access.redhat.com/errata/RHSA-2026:3948

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0707.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-0707.json

reference_url

https://access.redhat.com/security/cve/CVE-2026-0707

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-08T15:54:59Z/

url

https://access.redhat.com/security/cve/CVE-2026-0707

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-0707

reference_id

reference_type

scores

value	0.00029
scoring_system	epss
scoring_elements	0.08113
published_at	2026-04-18T12:55:00Z

value	0.00029
scoring_system	epss
scoring_elements	0.08248
published_at	2026-04-04T12:55:00Z

value	0.00029
scoring_system	epss
scoring_elements	0.08196
published_at	2026-04-07T12:55:00Z

value	0.00029
scoring_system	epss
scoring_elements	0.0826
published_at	2026-04-08T12:55:00Z

value	0.00029
scoring_system	epss
scoring_elements	0.0828
published_at	2026-04-09T12:55:00Z

value	0.00029
scoring_system	epss
scoring_elements	0.0827
published_at	2026-04-11T12:55:00Z

value	0.00029
scoring_system	epss
scoring_elements	0.08251
published_at	2026-04-12T12:55:00Z

value	0.00029
scoring_system	epss
scoring_elements	0.08233
published_at	2026-04-13T12:55:00Z

value	0.00029
scoring_system	epss
scoring_elements	0.08127
published_at	2026-04-16T12:55:00Z

value	0.00029
scoring_system	epss
scoring_elements	0.08195
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-0707

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=2427768

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-01-08T15:54:59Z/

url

https://bugzilla.redhat.com/show_bug.cgi?id=2427768

reference_url

https://github.com/keycloak/keycloak

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-0707

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-0707

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.4::el9
reference_id	cpe:/a:redhat:build_keycloak:26.4::el9
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:26.4::el9

reference_url

https://github.com/advisories/GHSA-gv94-wp4h-vv8p

reference_id

GHSA-gv94-wp4h-vv8p

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-gv94-wp4h-vv8p

fixed_packages

url pkg:maven/org.keycloak/keycloak-parent@26.5.1

purl pkg:maven/org.keycloak/keycloak-parent@26.5.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-jkh6-bvx2-dycm

vulnerability	VCID-umcf-t6w5-juha

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@26.5.1

aliases CVE-2026-0707, GHSA-gv94-wp4h-vv8p

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3jpe-awam-wqdz

url VCID-7z49-f322-n7g8

vulnerability_id VCID-7z49-f322-n7g8

summary

Keycloak SAML javascript protocol mapper: Uploading of scripts through admin console
An issue was discovered in Keycloak allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the `UPLOAD_SCRIPTS` feature is disabled

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-2668.json

reference_id

reference_type

scores

value	6.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-2668.json

reference_url

https://access.redhat.com/security/cve/CVE-2022-2668

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/security/cve/CVE-2022-2668

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-2668

reference_id

reference_type

scores

value	0.00473
scoring_system	epss
scoring_elements	0.64744
published_at	2026-04-18T12:55:00Z

value	0.00473
scoring_system	epss
scoring_elements	0.6467
published_at	2026-04-02T12:55:00Z

value	0.00473
scoring_system	epss
scoring_elements	0.64698
published_at	2026-04-04T12:55:00Z

value	0.00473
scoring_system	epss
scoring_elements	0.64656
published_at	2026-04-07T12:55:00Z

value	0.00473
scoring_system	epss
scoring_elements	0.64704
published_at	2026-04-08T12:55:00Z

value	0.00473
scoring_system	epss
scoring_elements	0.64719
published_at	2026-04-09T12:55:00Z

value	0.00473
scoring_system	epss
scoring_elements	0.64736
published_at	2026-04-11T12:55:00Z

value	0.00473
scoring_system	epss
scoring_elements	0.64724
published_at	2026-04-12T12:55:00Z

value	0.00473
scoring_system	epss
scoring_elements	0.64696
published_at	2026-04-13T12:55:00Z

value	0.00473
scoring_system	epss
scoring_elements	0.64733
published_at	2026-04-16T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-2668

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=2115392

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://bugzilla.redhat.com/show_bug.cgi?id=2115392

reference_url

https://github.com/keycloak/keycloak

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak

reference_url

https://github.com/keycloak/keycloak/commit/e2ae7eef39b27e48ffa4764995d558555f02838c

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak/commit/e2ae7eef39b27e48ffa4764995d558555f02838c

reference_url

https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak/security/advisories/GHSA-wf7g-7h6h-678v

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-2668

reference_id

reference_type

scores

value	7.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-2668

reference_url

https://github.com/advisories/GHSA-wf7g-7h6h-678v

reference_id

GHSA-wf7g-7h6h-678v

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-wf7g-7h6h-678v

reference_url	https://access.redhat.com/errata/RHSA-2022:6782
reference_id	RHSA-2022:6782
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6782

reference_url	https://access.redhat.com/errata/RHSA-2022:6783
reference_id	RHSA-2022:6783
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6783

reference_url	https://access.redhat.com/errata/RHSA-2022:6787
reference_id	RHSA-2022:6787
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6787

reference_url	https://access.redhat.com/errata/RHSA-2022:7409
reference_id	RHSA-2022:7409
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:7409

reference_url	https://access.redhat.com/errata/RHSA-2022:7410
reference_id	RHSA-2022:7410
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:7410

reference_url	https://access.redhat.com/errata/RHSA-2022:7411
reference_id	RHSA-2022:7411
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:7411

reference_url	https://access.redhat.com/errata/RHSA-2022:7417
reference_id	RHSA-2022:7417
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:7417

fixed_packages

url pkg:maven/org.keycloak/keycloak-parent@19.0.2

purl pkg:maven/org.keycloak/keycloak-parent@19.0.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jpe-awam-wqdz

vulnerability	VCID-dxj3-8sk5-mfdy

vulnerability	VCID-jkh6-bvx2-dycm

vulnerability	VCID-nhe2-8dtq-gqbf

vulnerability	VCID-umcf-t6w5-juha

vulnerability	VCID-xauc-r9cm-sycu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@19.0.2

aliases CVE-2022-2668, GHSA-wf7g-7h6h-678v

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7z49-f322-n7g8

url VCID-8cmx-d3j7-vqbz

vulnerability_id VCID-8cmx-d3j7-vqbz

summary

Reflected XSS on clients-registrations endpoint
A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak. When a malicious request is sent to the client registration endpoint, the error message is not properly escaped, allowing an attacker to execute malicious scripts into the user's browser.

references

reference_url

https://github.com/keycloak/keycloak

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak

reference_url

https://github.com/advisories/GHSA-m98g-63qj-fp8j

reference_id

GHSA-m98g-63qj-fp8j

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-m98g-63qj-fp8j

reference_url

https://github.com/keycloak/keycloak/security/advisories/GHSA-m98g-63qj-fp8j

reference_id

GHSA-m98g-63qj-fp8j

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak/security/advisories/GHSA-m98g-63qj-fp8j

fixed_packages

url pkg:maven/org.keycloak/keycloak-parent@18.0.0

purl pkg:maven/org.keycloak/keycloak-parent@18.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jpe-awam-wqdz

vulnerability	VCID-7z49-f322-n7g8

vulnerability	VCID-cabc-jrpz-vuad

vulnerability	VCID-dxj3-8sk5-mfdy

vulnerability	VCID-jkh6-bvx2-dycm

vulnerability	VCID-nhe2-8dtq-gqbf

vulnerability	VCID-umcf-t6w5-juha

vulnerability	VCID-xauc-r9cm-sycu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@18.0.0

aliases GHSA-m98g-63qj-fp8j, GMS-2022-1097

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8cmx-d3j7-vqbz

url VCID-8zrg-f41g-pqfk

vulnerability_id VCID-8zrg-f41g-pqfk

summary

ECP SAML binding bypasses authentication flows
### Description
A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3827.json

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3827.json

reference_url

https://access.redhat.com/security/cve/CVE-2021-3827

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/security/cve/CVE-2021-3827

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-3827

reference_id

reference_type

scores

value	0.00208
scoring_system	epss
scoring_elements	0.43233
published_at	2026-04-13T12:55:00Z

value	0.00208
scoring_system	epss
scoring_elements	0.43248
published_at	2026-04-12T12:55:00Z

value	0.00208
scoring_system	epss
scoring_elements	0.4328
published_at	2026-04-11T12:55:00Z

value	0.00208
scoring_system	epss
scoring_elements	0.4326
published_at	2026-04-09T12:55:00Z

value	0.00208
scoring_system	epss
scoring_elements	0.4323
published_at	2026-04-02T12:55:00Z

value	0.00208
scoring_system	epss
scoring_elements	0.43283
published_at	2026-04-18T12:55:00Z

value	0.00208
scoring_system	epss
scoring_elements	0.43294
published_at	2026-04-16T12:55:00Z

value	0.00208
scoring_system	epss
scoring_elements	0.43247
published_at	2026-04-08T12:55:00Z

value	0.00208
scoring_system	epss
scoring_elements	0.43174
published_at	2026-04-01T12:55:00Z

value	0.00208
scoring_system	epss
scoring_elements	0.43196
published_at	2026-04-07T12:55:00Z

value	0.00208
scoring_system	epss
scoring_elements	0.43259
published_at	2026-04-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-3827

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=2007512

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://bugzilla.redhat.com/show_bug.cgi?id=2007512

reference_url

https://github.com/keycloak/keycloak

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak

reference_url

https://github.com/keycloak/keycloak/commit/44000caaf5051d7f218d1ad79573bd3d175cad0d

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak/commit/44000caaf5051d7f218d1ad79573bd3d175cad0d

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-3827

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-3827

reference_url

https://security.archlinux.org/AVG-1332

reference_id

AVG-1332

reference_type

scores

value	High
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-1332

reference_url

https://github.com/advisories/GHSA-4pc7-vqv5-5r3v

reference_id

GHSA-4pc7-vqv5-5r3v

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-4pc7-vqv5-5r3v

reference_url

https://github.com/keycloak/keycloak/security/advisories/GHSA-4pc7-vqv5-5r3v

reference_id

GHSA-4pc7-vqv5-5r3v

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak/security/advisories/GHSA-4pc7-vqv5-5r3v

reference_url	https://access.redhat.com/errata/RHSA-2022:0151
reference_id	RHSA-2022:0151
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:0151

reference_url	https://access.redhat.com/errata/RHSA-2022:0152
reference_id	RHSA-2022:0152
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:0152

reference_url	https://access.redhat.com/errata/RHSA-2022:0155
reference_id	RHSA-2022:0155
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:0155

reference_url	https://access.redhat.com/errata/RHSA-2022:0164
reference_id	RHSA-2022:0164
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:0164

fixed_packages

url pkg:maven/org.keycloak/keycloak-parent@18.0.0

purl pkg:maven/org.keycloak/keycloak-parent@18.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jpe-awam-wqdz

vulnerability	VCID-7z49-f322-n7g8

vulnerability	VCID-cabc-jrpz-vuad

vulnerability	VCID-dxj3-8sk5-mfdy

vulnerability	VCID-jkh6-bvx2-dycm

vulnerability	VCID-nhe2-8dtq-gqbf

vulnerability	VCID-umcf-t6w5-juha

vulnerability	VCID-xauc-r9cm-sycu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@18.0.0

aliases CVE-2021-3827, GHSA-4pc7-vqv5-5r3v, GMS-2022-1098

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8zrg-f41g-pqfk

url VCID-cabc-jrpz-vuad

vulnerability_id VCID-cabc-jrpz-vuad

summary

Keycloak vulnerable to Stored Cross site Scripting (XSS) when loading default roles
A Stored XSS vulnerability was reported in the Keycloak Security mailing list, affecting all the versions of Keycloak, including the latest release (18.0.1). The vulnerability allows a privileged attacker to execute malicious scripts in the admin console, abusing of the default roles functionality. 

### CVSS 3.1 - **3.8**

**Vector String:** AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

**Vector Clarification:**

* User interaction is not required as the admin console is regularly used during an administrator's work
* The scope is unchanged since the admin console web application is both the vulnerable component and where the exploit executes

### Credits

Aytaç Kalıncı, Ilker Bulgurcu, Yasin Yılmaz (@aytackalinci, @smileronin, @yasinyilmaz) - NETAŞ PENTEST TEAM

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-2256.json

reference_id

reference_type

scores

value	3.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-2256.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-2256

reference_id

reference_type

scores

value	0.00882
scoring_system	epss
scoring_elements	0.75428
published_at	2026-04-18T12:55:00Z

value	0.00882
scoring_system	epss
scoring_elements	0.75421
published_at	2026-04-16T12:55:00Z

value	0.00882
scoring_system	epss
scoring_elements	0.7538
published_at	2026-04-13T12:55:00Z

value	0.00882
scoring_system	epss
scoring_elements	0.75391
published_at	2026-04-12T12:55:00Z

value	0.00882
scoring_system	epss
scoring_elements	0.7534
published_at	2026-04-07T12:55:00Z

value	0.00882
scoring_system	epss
scoring_elements	0.75393
published_at	2026-04-09T12:55:00Z

value	0.00882
scoring_system	epss
scoring_elements	0.75383
published_at	2026-04-08T12:55:00Z

value	0.00882
scoring_system	epss
scoring_elements	0.75328
published_at	2026-04-02T12:55:00Z

value	0.00882
scoring_system	epss
scoring_elements	0.7536
published_at	2026-04-04T12:55:00Z

value	0.00882
scoring_system	epss
scoring_elements	0.75413
published_at	2026-04-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-2256

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=2101942

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://bugzilla.redhat.com/show_bug.cgi?id=2101942

reference_url

https://github.com/keycloak/keycloak

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak

reference_url

https://github.com/keycloak/keycloak/commit/8e705a65ab2aa2b079374ec859ee7a75fad5a7d9

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak/commit/8e705a65ab2aa2b079374ec859ee7a75fad5a7d9

reference_url

https://github.com/keycloak/keycloak/security/advisories/GHSA-w9mf-83w3-fv49

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak/security/advisories/GHSA-w9mf-83w3-fv49

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-2256

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-2256

reference_url

https://github.com/advisories/GHSA-w9mf-83w3-fv49

reference_id

GHSA-w9mf-83w3-fv49

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-w9mf-83w3-fv49

reference_url	https://access.redhat.com/errata/RHSA-2022:6782
reference_id	RHSA-2022:6782
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6782

reference_url	https://access.redhat.com/errata/RHSA-2022:6783
reference_id	RHSA-2022:6783
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6783

reference_url	https://access.redhat.com/errata/RHSA-2022:6787
reference_id	RHSA-2022:6787
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:6787

fixed_packages

url pkg:maven/org.keycloak/keycloak-parent@19.0.2

purl pkg:maven/org.keycloak/keycloak-parent@19.0.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jpe-awam-wqdz

vulnerability	VCID-dxj3-8sk5-mfdy

vulnerability	VCID-jkh6-bvx2-dycm

vulnerability	VCID-nhe2-8dtq-gqbf

vulnerability	VCID-umcf-t6w5-juha

vulnerability	VCID-xauc-r9cm-sycu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@19.0.2

aliases CVE-2022-2256, GHSA-w9mf-83w3-fv49

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cabc-jrpz-vuad

url VCID-dxj3-8sk5-mfdy

vulnerability_id VCID-dxj3-8sk5-mfdy

summary

Insufficient Session Expiration
A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user.

references

reference_url

https://access.redhat.com/errata/RHSA-2022:8961

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-13T20:08:01Z/

url

https://access.redhat.com/errata/RHSA-2022:8961

reference_url

https://access.redhat.com/errata/RHSA-2022:8962

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-13T20:08:01Z/

url

https://access.redhat.com/errata/RHSA-2022:8962

reference_url

https://access.redhat.com/errata/RHSA-2022:8963

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-13T20:08:01Z/

url

https://access.redhat.com/errata/RHSA-2022:8963

reference_url

https://access.redhat.com/errata/RHSA-2022:8964

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-13T20:08:01Z/

url

https://access.redhat.com/errata/RHSA-2022:8964

reference_url

https://access.redhat.com/errata/RHSA-2022:8965

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-13T20:08:01Z/

url

https://access.redhat.com/errata/RHSA-2022:8965

reference_url

https://access.redhat.com/errata/RHSA-2023:1043

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-13T20:08:01Z/

url

https://access.redhat.com/errata/RHSA-2023:1043

reference_url

https://access.redhat.com/errata/RHSA-2023:1044

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-13T20:08:01Z/

url

https://access.redhat.com/errata/RHSA-2023:1044

reference_url

https://access.redhat.com/errata/RHSA-2023:1045

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-13T20:08:01Z/

url

https://access.redhat.com/errata/RHSA-2023:1045

reference_url

https://access.redhat.com/errata/RHSA-2023:1047

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-13T20:08:01Z/

url

https://access.redhat.com/errata/RHSA-2023:1047

reference_url

https://access.redhat.com/errata/RHSA-2023:1049

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-13T20:08:01Z/

url

https://access.redhat.com/errata/RHSA-2023:1049

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-3916.json

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-3916.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-3916

reference_id

reference_type

scores

value	0.00226
scoring_system	epss
scoring_elements	0.45477
published_at	2026-04-18T12:55:00Z

value	0.00226
scoring_system	epss
scoring_elements	0.45418
published_at	2026-04-02T12:55:00Z

value	0.00226
scoring_system	epss
scoring_elements	0.45438
published_at	2026-04-04T12:55:00Z

value	0.00226
scoring_system	epss
scoring_elements	0.45382
published_at	2026-04-07T12:55:00Z

value	0.00226
scoring_system	epss
scoring_elements	0.45437
published_at	2026-04-09T12:55:00Z

value	0.00226
scoring_system	epss
scoring_elements	0.45458
published_at	2026-04-11T12:55:00Z

value	0.00226
scoring_system	epss
scoring_elements	0.45428
published_at	2026-04-12T12:55:00Z

value	0.00226
scoring_system	epss
scoring_elements	0.4543
published_at	2026-04-13T12:55:00Z

value	0.00226
scoring_system	epss
scoring_elements	0.45481
published_at	2026-04-16T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-3916

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=2141404

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-13T20:08:01Z/

url

https://bugzilla.redhat.com/show_bug.cgi?id=2141404

reference_url

https://github.com/keycloak/keycloak

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:red_hat_single_sign_on:7.6
reference_id	cpe:/a:redhat:red_hat_single_sign_on:7.6
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:red_hat_single_sign_on:7.6

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:red_hat_single_sign_on:7.6.1
reference_id	cpe:/a:redhat:red_hat_single_sign_on:7.6.1
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:red_hat_single_sign_on:7.6.1

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:red_hat_single_sign_on:7.6::el7
reference_id	cpe:/a:redhat:red_hat_single_sign_on:7.6::el7
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:red_hat_single_sign_on:7.6::el7

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:red_hat_single_sign_on:7.6::el8
reference_id	cpe:/a:redhat:red_hat_single_sign_on:7.6::el8
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:red_hat_single_sign_on:7.6::el8

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:red_hat_single_sign_on:7.6::el9
reference_id	cpe:/a:redhat:red_hat_single_sign_on:7.6::el9
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:red_hat_single_sign_on:7.6::el9

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:rhosemc:1.0::el8
reference_id	cpe:/a:redhat:rhosemc:1.0::el8
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:rhosemc:1.0::el8

reference_url

https://access.redhat.com/security/cve/CVE-2022-3916

reference_id

CVE-2022-3916

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-07-13T20:08:01Z/

url

https://access.redhat.com/security/cve/CVE-2022-3916

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-3916

reference_id

CVE-2022-3916

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-3916

reference_url

https://github.com/advisories/GHSA-97g8-xfvw-q4hg

reference_id

GHSA-97g8-xfvw-q4hg

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-97g8-xfvw-q4hg

reference_url

https://github.com/keycloak/keycloak/security/advisories/GHSA-97g8-xfvw-q4hg

reference_id

GHSA-97g8-xfvw-q4hg

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak/security/advisories/GHSA-97g8-xfvw-q4hg

fixed_packages

url pkg:maven/org.keycloak/keycloak-parent@20.0.2

purl pkg:maven/org.keycloak/keycloak-parent@20.0.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jpe-awam-wqdz

vulnerability	VCID-jkh6-bvx2-dycm

vulnerability	VCID-nhe2-8dtq-gqbf

vulnerability	VCID-umcf-t6w5-juha

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@20.0.2

aliases CVE-2022-3916, GHSA-97g8-xfvw-q4hg, GMS-2022-8406

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dxj3-8sk5-mfdy

url VCID-gndk-728r-9yh7

vulnerability_id VCID-gndk-728r-9yh7

summary

Keycloak allows anyone to register new security device or key for any user by using WebAuthn password-less login flow
A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3632.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-3632.json

reference_url

https://access.redhat.com/security/cve/CVE-2021-3632

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/security/cve/CVE-2021-3632

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-3632

reference_id

reference_type

scores

value	0.00503
scoring_system	epss
scoring_elements	0.66137
published_at	2026-04-18T12:55:00Z

value	0.00503
scoring_system	epss
scoring_elements	0.66012
published_at	2026-04-01T12:55:00Z

value	0.00503
scoring_system	epss
scoring_elements	0.66055
published_at	2026-04-02T12:55:00Z

value	0.00503
scoring_system	epss
scoring_elements	0.66083
published_at	2026-04-04T12:55:00Z

value	0.00503
scoring_system	epss
scoring_elements	0.66049
published_at	2026-04-07T12:55:00Z

value	0.00503
scoring_system	epss
scoring_elements	0.66098
published_at	2026-04-08T12:55:00Z

value	0.00503
scoring_system	epss
scoring_elements	0.6611
published_at	2026-04-09T12:55:00Z

value	0.00503
scoring_system	epss
scoring_elements	0.66129
published_at	2026-04-11T12:55:00Z

value	0.00503
scoring_system	epss
scoring_elements	0.66117
published_at	2026-04-12T12:55:00Z

value	0.00503
scoring_system	epss
scoring_elements	0.66087
published_at	2026-04-13T12:55:00Z

value	0.00503
scoring_system	epss
scoring_elements	0.66123
published_at	2026-04-16T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-3632

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=1978196

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://bugzilla.redhat.com/show_bug.cgi?id=1978196

reference_url

https://github.com/keycloak/keycloak

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak

reference_url

https://github.com/keycloak/keycloak/commit/65480cb5a11630909c086f79d396004499fbd1e4

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak/commit/65480cb5a11630909c086f79d396004499fbd1e4

reference_url

https://github.com/keycloak/keycloak/pull/8203

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak/pull/8203

reference_url

https://issues.redhat.com/browse/KEYCLOAK-18500

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://issues.redhat.com/browse/KEYCLOAK-18500

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-3632

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-3632

reference_url

https://security.archlinux.org/AVG-1332

reference_id

AVG-1332

reference_type

scores

value	High
scoring_system	archlinux
scoring_elements

url

https://security.archlinux.org/AVG-1332

reference_url

https://github.com/advisories/GHSA-qpq9-jpv4-6gwr

reference_id

GHSA-qpq9-jpv4-6gwr

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-qpq9-jpv4-6gwr

reference_url	https://access.redhat.com/errata/RHSA-2021:3527
reference_id	RHSA-2021:3527
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:3527

reference_url	https://access.redhat.com/errata/RHSA-2021:3528
reference_id	RHSA-2021:3528
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:3528

reference_url	https://access.redhat.com/errata/RHSA-2021:3529
reference_id	RHSA-2021:3529
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:3529

reference_url	https://access.redhat.com/errata/RHSA-2021:3534
reference_id	RHSA-2021:3534
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:3534

fixed_packages

url pkg:maven/org.keycloak/keycloak-parent@15.1.0

purl pkg:maven/org.keycloak/keycloak-parent@15.1.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jpe-awam-wqdz

vulnerability	VCID-7z49-f322-n7g8

vulnerability	VCID-8cmx-d3j7-vqbz

vulnerability	VCID-8zrg-f41g-pqfk

vulnerability	VCID-cabc-jrpz-vuad

vulnerability	VCID-dxj3-8sk5-mfdy

vulnerability	VCID-jkh6-bvx2-dycm

vulnerability	VCID-nhe2-8dtq-gqbf

vulnerability	VCID-u3tj-vmem-jbb9

vulnerability	VCID-umcf-t6w5-juha

vulnerability	VCID-xauc-r9cm-sycu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@15.1.0

aliases CVE-2021-3632, GHSA-qpq9-jpv4-6gwr

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gndk-728r-9yh7

url VCID-jkh6-bvx2-dycm

vulnerability_id VCID-jkh6-bvx2-dycm

summary

Keycloak Server-Side Request Forgery (SSRF) vulnerability
A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1518.json

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-1518.json

reference_url

https://access.redhat.com/security/cve/CVE-2026-1518

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-02T14:03:51Z/

url

https://access.redhat.com/security/cve/CVE-2026-1518

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-1518

reference_id

reference_type

scores

value	0.00011
scoring_system	epss
scoring_elements	0.01411
published_at	2026-04-08T12:55:00Z

value	0.00011
scoring_system	epss
scoring_elements	0.01396
published_at	2026-04-02T12:55:00Z

value	0.00011
scoring_system	epss
scoring_elements	0.01406
published_at	2026-04-07T12:55:00Z

value	0.00011
scoring_system	epss
scoring_elements	0.014
published_at	2026-04-04T12:55:00Z

value	0.00011
scoring_system	epss
scoring_elements	0.01412
published_at	2026-04-09T12:55:00Z

value	0.00012
scoring_system	epss
scoring_elements	0.01576
published_at	2026-04-18T12:55:00Z

value	0.00012
scoring_system	epss
scoring_elements	0.01581
published_at	2026-04-11T12:55:00Z

value	0.00012
scoring_system	epss
scoring_elements	0.01572
published_at	2026-04-13T12:55:00Z

value	0.00012
scoring_system	epss
scoring_elements	0.01561
published_at	2026-04-16T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-1518

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=2433727

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-02T14:03:51Z/

url

https://bugzilla.redhat.com/show_bug.cgi?id=2433727

reference_url

https://github.com/keycloak/keycloak

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-1518

reference_id

reference_type

scores

value	2.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-1518

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:
reference_id	cpe:/a:redhat:build_keycloak:
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:

reference_url

https://github.com/advisories/GHSA-fwhw-chw4-gh37

reference_id

GHSA-fwhw-chw4-gh37

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-fwhw-chw4-gh37

fixed_packages

url pkg:maven/org.keycloak/keycloak-parent@26.5.3

purl pkg:maven/org.keycloak/keycloak-parent@26.5.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-umcf-t6w5-juha

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@26.5.3

aliases CVE-2026-1518, GHSA-fwhw-chw4-gh37

risk_score 1.4

exploitability 0.5

weighted_severity 2.7

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jkh6-bvx2-dycm

url VCID-nhe2-8dtq-gqbf

vulnerability_id VCID-nhe2-8dtq-gqbf

summary

URL Redirection to Untrusted Site ('Open Redirect')
A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users.

references

reference_url

https://access.redhat.com/errata/RHSA-2023:7854

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-13T14:56:46Z/

url

https://access.redhat.com/errata/RHSA-2023:7854

reference_url

https://access.redhat.com/errata/RHSA-2023:7855

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-13T14:56:46Z/

url

https://access.redhat.com/errata/RHSA-2023:7855

reference_url

https://access.redhat.com/errata/RHSA-2023:7856

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-13T14:56:46Z/

url

https://access.redhat.com/errata/RHSA-2023:7856

reference_url

https://access.redhat.com/errata/RHSA-2023:7857

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-13T14:56:46Z/

url

https://access.redhat.com/errata/RHSA-2023:7857

reference_url

https://access.redhat.com/errata/RHSA-2023:7858

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-13T14:56:46Z/

url

https://access.redhat.com/errata/RHSA-2023:7858

reference_url

https://access.redhat.com/errata/RHSA-2023:7860

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-13T14:56:46Z/

url

https://access.redhat.com/errata/RHSA-2023:7860

reference_url

https://access.redhat.com/errata/RHSA-2023:7861

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-13T14:56:46Z/

url

https://access.redhat.com/errata/RHSA-2023:7861

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-6291.json

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-6291.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-6291

reference_id

reference_type

scores

value	0.00181
scoring_system	epss
scoring_elements	0.39708
published_at	2026-04-18T12:55:00Z

value	0.00181
scoring_system	epss
scoring_elements	0.39721
published_at	2026-04-02T12:55:00Z

value	0.00181
scoring_system	epss
scoring_elements	0.39743
published_at	2026-04-04T12:55:00Z

value	0.00181
scoring_system	epss
scoring_elements	0.39661
published_at	2026-04-07T12:55:00Z

value	0.00181
scoring_system	epss
scoring_elements	0.39715
published_at	2026-04-08T12:55:00Z

value	0.00181
scoring_system	epss
scoring_elements	0.3973
published_at	2026-04-09T12:55:00Z

value	0.00181
scoring_system	epss
scoring_elements	0.39739
published_at	2026-04-11T12:55:00Z

value	0.00181
scoring_system	epss
scoring_elements	0.39703
published_at	2026-04-12T12:55:00Z

value	0.00181
scoring_system	epss
scoring_elements	0.39687
published_at	2026-04-13T12:55:00Z

value	0.00181
scoring_system	epss
scoring_elements	0.39737
published_at	2026-04-16T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-6291

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=2251407

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-13T14:56:46Z/

url

https://bugzilla.redhat.com/show_bug.cgi?id=2251407

reference_url

https://github.com/keycloak/keycloak

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak

reference_url

https://github.com/keycloak/keycloak/commit/b2e91105315ccf2c1df549b4f6c5948322cbfd1b

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak/commit/b2e91105315ccf2c1df549b4f6c5948322cbfd1b

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:22
reference_id	cpe:/a:redhat:build_keycloak:22
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:22

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:22::el9
reference_id	cpe:/a:redhat:build_keycloak:22::el9
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:build_keycloak:22::el9

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_data_grid:7
reference_id	cpe:/a:redhat:jboss_data_grid:7
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_data_grid:7

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_data_grid:8
reference_id	cpe:/a:redhat:jboss_data_grid:8
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_data_grid:8

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:6
reference_id	cpe:/a:redhat:jboss_enterprise_application_platform:6
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_application_platform:6

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_bpms_platform:7
reference_id	cpe:/a:redhat:jboss_enterprise_bpms_platform:7
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_bpms_platform:7

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_brms_platform:7
reference_id	cpe:/a:redhat:jboss_enterprise_brms_platform:7
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_enterprise_brms_platform:7

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_fuse:7
reference_id	cpe:/a:redhat:jboss_fuse:7
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:jboss_fuse:7

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:migration_toolkit_applications:6
reference_id	cpe:/a:redhat:migration_toolkit_applications:6
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:migration_toolkit_applications:6

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:migration_toolkit_applications:7
reference_id	cpe:/a:redhat:migration_toolkit_applications:7
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:migration_toolkit_applications:7

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:red_hat_single_sign_on:7.6
reference_id	cpe:/a:redhat:red_hat_single_sign_on:7.6
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:red_hat_single_sign_on:7.6

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:red_hat_single_sign_on:7.6.6
reference_id	cpe:/a:redhat:red_hat_single_sign_on:7.6.6
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:red_hat_single_sign_on:7.6.6

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:red_hat_single_sign_on:7.6::el7
reference_id	cpe:/a:redhat:red_hat_single_sign_on:7.6::el7
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:red_hat_single_sign_on:7.6::el7

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:red_hat_single_sign_on:7.6::el8
reference_id	cpe:/a:redhat:red_hat_single_sign_on:7.6::el8
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:red_hat_single_sign_on:7.6::el8

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:red_hat_single_sign_on:7.6::el9
reference_id	cpe:/a:redhat:red_hat_single_sign_on:7.6::el9
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:red_hat_single_sign_on:7.6::el9

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:rhosemc:1.0::el8
reference_id	cpe:/a:redhat:rhosemc:1.0::el8
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:rhosemc:1.0::el8

reference_url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:serverless:1
reference_id	cpe:/a:redhat:serverless:1
reference_type
scores
url	https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:/a:redhat:serverless:1

reference_url

https://access.redhat.com/security/cve/CVE-2023-6291

reference_id

CVE-2023-6291

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-13T14:56:46Z/

url

https://access.redhat.com/security/cve/CVE-2023-6291

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-6291

reference_id

CVE-2023-6291

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-6291

reference_url

https://github.com/advisories/GHSA-mpwq-j3xf-7m5w

reference_id

GHSA-mpwq-j3xf-7m5w

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-mpwq-j3xf-7m5w

reference_url

https://github.com/keycloak/keycloak/security/advisories/GHSA-mpwq-j3xf-7m5w

reference_id

GHSA-mpwq-j3xf-7m5w

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak/security/advisories/GHSA-mpwq-j3xf-7m5w

fixed_packages

url pkg:maven/org.keycloak/keycloak-parent@23.0.0

purl pkg:maven/org.keycloak/keycloak-parent@23.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jpe-awam-wqdz

vulnerability	VCID-jkh6-bvx2-dycm

vulnerability	VCID-umcf-t6w5-juha

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@23.0.0

aliases CVE-2023-6291, GHSA-mpwq-j3xf-7m5w

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nhe2-8dtq-gqbf

url VCID-u3tj-vmem-jbb9

vulnerability_id VCID-u3tj-vmem-jbb9

summary

Incorrect Authorization
A flaw was found in Keycloak which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-4133.json

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2021-4133.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2021-4133

reference_id

reference_type

scores

value	0.00428
scoring_system	epss
scoring_elements	0.62518
published_at	2026-04-18T12:55:00Z

value	0.00428
scoring_system	epss
scoring_elements	0.62512
published_at	2026-04-16T12:55:00Z

value	0.00428
scoring_system	epss
scoring_elements	0.6247
published_at	2026-04-13T12:55:00Z

value	0.00428
scoring_system	epss
scoring_elements	0.62492
published_at	2026-04-12T12:55:00Z

value	0.00428
scoring_system	epss
scoring_elements	0.62503
published_at	2026-04-11T12:55:00Z

value	0.00428
scoring_system	epss
scoring_elements	0.62484
published_at	2026-04-09T12:55:00Z

value	0.00428
scoring_system	epss
scoring_elements	0.62468
published_at	2026-04-08T12:55:00Z

value	0.00428
scoring_system	epss
scoring_elements	0.62417
published_at	2026-04-07T12:55:00Z

value	0.00428
scoring_system	epss
scoring_elements	0.62361
published_at	2026-04-01T12:55:00Z

value	0.00428
scoring_system	epss
scoring_elements	0.6245
published_at	2026-04-04T12:55:00Z

value	0.00428
scoring_system	epss
scoring_elements	0.6242
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2021-4133

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=2033602

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://bugzilla.redhat.com/show_bug.cgi?id=2033602

reference_url

https://github.com/keycloak/keycloak

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak

reference_url

https://github.com/keycloak/keycloak/issues/9247

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak/issues/9247

reference_url

https://www.oracle.com/security-alerts/cpuapr2022.html

reference_id

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://www.oracle.com/security-alerts/cpuapr2022.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2021-4133

reference_id

CVE-2021-4133

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2021-4133

reference_url

https://github.com/advisories/GHSA-83x4-9cwr-5487

reference_id

GHSA-83x4-9cwr-5487

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-83x4-9cwr-5487

reference_url

https://github.com/keycloak/keycloak/security/advisories/GHSA-83x4-9cwr-5487

reference_id

GHSA-83x4-9cwr-5487

reference_type

scores

value	8.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak/security/advisories/GHSA-83x4-9cwr-5487

reference_url	https://access.redhat.com/errata/RHSA-2021:5217
reference_id	RHSA-2021:5217
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:5217

reference_url	https://access.redhat.com/errata/RHSA-2021:5218
reference_id	RHSA-2021:5218
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:5218

reference_url	https://access.redhat.com/errata/RHSA-2021:5219
reference_id	RHSA-2021:5219
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:5219

reference_url	https://access.redhat.com/errata/RHSA-2022:0015
reference_id	RHSA-2022:0015
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:0015

reference_url	https://access.redhat.com/errata/RHSA-2022:0034
reference_id	RHSA-2022:0034
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:0034

reference_url	https://access.redhat.com/errata/RHSA-2022:0151
reference_id	RHSA-2022:0151
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:0151

reference_url	https://access.redhat.com/errata/RHSA-2022:0152
reference_id	RHSA-2022:0152
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:0152

reference_url	https://access.redhat.com/errata/RHSA-2022:0155
reference_id	RHSA-2022:0155
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:0155

reference_url	https://access.redhat.com/errata/RHSA-2022:0164
reference_id	RHSA-2022:0164
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:0164

fixed_packages

url pkg:maven/org.keycloak/keycloak-parent@15.1.1

purl pkg:maven/org.keycloak/keycloak-parent@15.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jpe-awam-wqdz

vulnerability	VCID-7z49-f322-n7g8

vulnerability	VCID-8cmx-d3j7-vqbz

vulnerability	VCID-8zrg-f41g-pqfk

vulnerability	VCID-cabc-jrpz-vuad

vulnerability	VCID-dxj3-8sk5-mfdy

vulnerability	VCID-jkh6-bvx2-dycm

vulnerability	VCID-nhe2-8dtq-gqbf

vulnerability	VCID-umcf-t6w5-juha

vulnerability	VCID-xauc-r9cm-sycu

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@15.1.1

aliases CVE-2021-4133, GHSA-83x4-9cwr-5487

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-u3tj-vmem-jbb9

url

VCID-umcf-t6w5-juha

vulnerability_id

VCID-umcf-t6w5-juha

summary

Keycloak Authentication Error
A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-14910.json

reference_id

reference_type

scores

value	9.3
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-14910.json

reference_url

https://access.redhat.com/security/cve/cve-2019-14910

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/security/cve/cve-2019-14910

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2019-14910

reference_id

reference_type

scores

value	0.00419
scoring_system	epss
scoring_elements	0.61931
published_at	2026-04-18T12:55:00Z

value	0.00419
scoring_system	epss
scoring_elements	0.61829
published_at	2026-04-07T12:55:00Z

value	0.00419
scoring_system	epss
scoring_elements	0.61878
published_at	2026-04-08T12:55:00Z

value	0.00419
scoring_system	epss
scoring_elements	0.61894
published_at	2026-04-09T12:55:00Z

value	0.00419
scoring_system	epss
scoring_elements	0.61915
published_at	2026-04-11T12:55:00Z

value	0.00419
scoring_system	epss
scoring_elements	0.61903
published_at	2026-04-12T12:55:00Z

value	0.00419
scoring_system	epss
scoring_elements	0.61883
published_at	2026-04-13T12:55:00Z

value	0.00419
scoring_system	epss
scoring_elements	0.61926
published_at	2026-04-16T12:55:00Z

value	0.00419
scoring_system	epss
scoring_elements	0.61754
published_at	2026-04-01T12:55:00Z

value	0.00419
scoring_system	epss
scoring_elements	0.61828
published_at	2026-04-02T12:55:00Z

value	0.00419
scoring_system	epss
scoring_elements	0.61859
published_at	2026-04-04T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2019-14910

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14910

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14910

reference_url

https://github.com/keycloak/keycloak

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2019-14910

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2019-14910

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1778265
reference_id	1778265
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1778265

reference_url

https://github.com/advisories/GHSA-jf86-9434-f8c2

reference_id

GHSA-jf86-9434-f8c2

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jf86-9434-f8c2

fixed_packages

aliases

CVE-2019-14910, GHSA-jf86-9434-f8c2

risk_score

4.5

exploitability

0.5

weighted_severity

9.0

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-umcf-t6w5-juha

url VCID-xauc-r9cm-sycu

vulnerability_id VCID-xauc-r9cm-sycu

summary

Keycloak vulnerable to path traversal via double URL encoding
Keycloak does not properly validate URLs included in a redirect. An attacker could construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain, or possibly conduct further attacks.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-3782.json

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-3782.json

reference_url

https://access.redhat.com/security/cve/CVE-2022-3782

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2025-04-09T13:41:56Z/

url

https://access.redhat.com/security/cve/CVE-2022-3782

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-3782

reference_id

reference_type

scores

value	0.0012
scoring_system	epss
scoring_elements	0.31033
published_at	2026-04-12T12:55:00Z

value	0.0012
scoring_system	epss
scoring_elements	0.31077
published_at	2026-04-11T12:55:00Z

value	0.0012
scoring_system	epss
scoring_elements	0.3107
published_at	2026-04-09T12:55:00Z

value	0.0012
scoring_system	epss
scoring_elements	0.30988
published_at	2026-04-13T12:55:00Z

value	0.0012
scoring_system	epss
scoring_elements	0.31019
published_at	2026-04-16T12:55:00Z

value	0.0012
scoring_system	epss
scoring_elements	0.31042
published_at	2026-04-08T12:55:00Z

value	0.0012
scoring_system	epss
scoring_elements	0.31
published_at	2026-04-18T12:55:00Z

value	0.0012
scoring_system	epss
scoring_elements	0.30985
published_at	2026-04-07T12:55:00Z

value	0.0012
scoring_system	epss
scoring_elements	0.31166
published_at	2026-04-04T12:55:00Z

value	0.0012
scoring_system	epss
scoring_elements	0.31119
published_at	2026-04-02T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-3782

reference_url

https://github.com/keycloak/keycloak

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak

reference_url

https://github.com/keycloak/keycloak/pull/15982/commits/1987c942f527b9f3bbf2a86ba71ba8ae0154ac37

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak/pull/15982/commits/1987c942f527b9f3bbf2a86ba71ba8ae0154ac37

reference_url

https://github.com/keycloak/keycloak/security/advisories/GHSA-g8q8-fggx-9r3q

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/keycloak/keycloak/security/advisories/GHSA-g8q8-fggx-9r3q

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-3782

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-3782

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2138971
reference_id	2138971
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2138971

reference_url

https://github.com/advisories/GHSA-g8q8-fggx-9r3q

reference_id

GHSA-g8q8-fggx-9r3q

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-g8q8-fggx-9r3q

reference_url	https://access.redhat.com/errata/RHSA-2023:1285
reference_id	RHSA-2023:1285
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1285

reference_url	https://access.redhat.com/errata/RHSA-2023:1661
reference_id	RHSA-2023:1661
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1661

reference_url	https://access.redhat.com/errata/RHSA-2023:2041
reference_id	RHSA-2023:2041
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2041

reference_url	https://access.redhat.com/errata/RHSA-2023:3185
reference_id	RHSA-2023:3185
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3185

reference_url	https://access.redhat.com/errata/RHSA-2023:3815
reference_id	RHSA-2023:3815
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3815

fixed_packages

url pkg:maven/org.keycloak/keycloak-parent@20.0.1

purl pkg:maven/org.keycloak/keycloak-parent@20.0.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jpe-awam-wqdz

vulnerability	VCID-dxj3-8sk5-mfdy

vulnerability	VCID-jkh6-bvx2-dycm

vulnerability	VCID-nhe2-8dtq-gqbf

vulnerability	VCID-umcf-t6w5-juha

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@20.0.1

url pkg:maven/org.keycloak/keycloak-parent@20.0.2

purl pkg:maven/org.keycloak/keycloak-parent@20.0.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jpe-awam-wqdz

vulnerability	VCID-jkh6-bvx2-dycm

vulnerability	VCID-nhe2-8dtq-gqbf

vulnerability	VCID-umcf-t6w5-juha

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@20.0.2

aliases CVE-2022-3782, GHSA-g8q8-fggx-9r3q, GMS-2022-8407

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xauc-r9cm-sycu

Fixing_vulnerabilities

Risk_score 4.5

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-parent@15.0.0

Package Instance