| 0 |
| url |
VCID-2dgp-xdrz-q7dv |
| vulnerability_id |
VCID-2dgp-xdrz-q7dv |
| summary |
Duplicate Advisory: Keycloak-services SMTP Inject Vulnerability
### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-m4j5-5x4r-2xp9. This link is maintained to preserve external references.
### Original Description
A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-qj5r-2r5p-phc7
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2dgp-xdrz-q7dv |
|
| 1 |
| url |
VCID-2dgt-7k4f-fyce |
| vulnerability_id |
VCID-2dgt-7k4f-fyce |
| summary |
Keycloak path traversal vulnerability in the redirect validation
An issue was found in the redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-2419 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21186 |
| published_at |
2026-04-08T12:55:00Z |
|
| 1 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21106 |
| published_at |
2026-04-07T12:55:00Z |
|
| 2 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21165 |
| published_at |
2026-04-18T12:55:00Z |
|
| 3 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21154 |
| published_at |
2026-04-16T12:55:00Z |
|
| 4 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21163 |
| published_at |
2026-04-13T12:55:00Z |
|
| 5 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21216 |
| published_at |
2026-04-12T12:55:00Z |
|
| 6 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21257 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21248 |
| published_at |
2026-04-09T12:55:00Z |
|
| 8 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21297 |
| published_at |
2026-04-02T12:55:00Z |
|
| 9 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21352 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-2419 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 2 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 3 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 4 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 5 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 6 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 7 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 8 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 9 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 10 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 11 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 12 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 13 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 14 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 15 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 16 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 17 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 18 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 19 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 20 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 21 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 22 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 23 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 24 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 25 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 26 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 27 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 28 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 29 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 30 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 31 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 32 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.3 |
|
|
| aliases |
CVE-2024-2419, GHSA-mrv8-pqfj-7gp5
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-2dgt-7k4f-fyce |
|
| 2 |
| url |
VCID-3sh8-6vsc-1uae |
| vulnerability_id |
VCID-3sh8-6vsc-1uae |
| summary |
Keycloak vulnerable to impersonation via logout token exchange
Keycloak was found to not properly enforce token types when validating signatures locally. An authenticated attacker could use this flaw to exchange a logout token for an access token and possibly gain access to data outside of enforced permissions. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-0657 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0004 |
| scoring_system |
epss |
| scoring_elements |
0.12178 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.0004 |
| scoring_system |
epss |
| scoring_elements |
0.12024 |
| published_at |
2026-04-07T12:55:00Z |
|
| 2 |
| value |
0.0004 |
| scoring_system |
epss |
| scoring_elements |
0.12224 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.1704 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.16873 |
| published_at |
2026-04-18T12:55:00Z |
|
| 5 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.16871 |
| published_at |
2026-04-16T12:55:00Z |
|
| 6 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.16934 |
| published_at |
2026-04-13T12:55:00Z |
|
| 7 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.16993 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.17006 |
| published_at |
2026-04-08T12:55:00Z |
|
| 9 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.17065 |
| published_at |
2026-04-09T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-0657 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 2 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 3 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 4 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 5 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 6 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 7 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 8 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 9 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 10 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 11 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 12 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 13 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 14 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 15 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 16 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 17 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 18 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 19 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 20 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 21 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 22 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 23 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 24 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 25 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 26 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 27 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 28 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 29 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 30 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 31 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 32 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.3 |
|
|
| aliases |
CVE-2023-0657, GHSA-7fpj-9hr8-28vh
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.1 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3sh8-6vsc-1uae |
|
| 3 |
| url |
VCID-41hy-n7tz-3bee |
| vulnerability_id |
VCID-41hy-n7tz-3bee |
| summary |
Keycloak's admin API allows low privilege users to use administrative functions
Users with low privileges (just plain users in the realm) are able to utilize administrative functionalities within Keycloak admin interface. This issue presents a significant security risk as it allows unauthorized users to perform actions reserved for administrators, potentially leading to data breaches or system compromise.
**Acknowledgements:**
Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-3656 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.89656 |
| scoring_system |
epss |
| scoring_elements |
0.9956 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.89656 |
| scoring_system |
epss |
| scoring_elements |
0.99561 |
| published_at |
2026-04-07T12:55:00Z |
|
| 2 |
| value |
0.89656 |
| scoring_system |
epss |
| scoring_elements |
0.99559 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.89656 |
| scoring_system |
epss |
| scoring_elements |
0.99562 |
| published_at |
2026-04-13T12:55:00Z |
|
| 4 |
| value |
0.89656 |
| scoring_system |
epss |
| scoring_elements |
0.99563 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.89656 |
| scoring_system |
epss |
| scoring_elements |
0.99564 |
| published_at |
2026-04-18T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-3656 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.5 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 2 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 3 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 4 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 5 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 6 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 7 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 8 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 9 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 10 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 11 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 12 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 13 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 14 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 15 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 16 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 17 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 18 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 19 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 20 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 21 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 22 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 23 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 24 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 25 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 26 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 27 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 28 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.5 |
|
|
| aliases |
CVE-2024-3656, GHSA-2cww-fgmg-4jqc
|
| risk_score |
10.0 |
| exploitability |
2.0 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-41hy-n7tz-3bee |
|
| 4 |
| url |
VCID-5f8r-n4mm-y3g6 |
| vulnerability_id |
VCID-5f8r-n4mm-y3g6 |
| summary |
Keycloak phishing attack via email verification step in first login flow
There is a flaw with the first login flow where, during a IdP login, an attacker with a registered account can initiate the process to merge accounts with an existing victim's account. The attacker will subsequently be prompted to "review profile" information, which allows the the attacker to modify their email address to that of a victim's account. This triggers a verification email sent to the victim's email address. If the victim clicks the verification link, the attacker can gain access to the victim's account. While not a zero-interaction attack, the attacker's email address is not directly present in the verification email content, making it a potential phishing opportunity.
This issue has been fixed in versions 26.0.13, 26.2.6, and 26.3.0. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2025:11986 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T20:16:26Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2025:11986 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2025:11987 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T20:16:26Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2025:11987 |
|
| 2 |
| reference_url |
https://access.redhat.com/errata/RHSA-2025:12015 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T20:16:26Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2025:12015 |
|
| 3 |
| reference_url |
https://access.redhat.com/errata/RHSA-2025:12016 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T20:16:26Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2025:12016 |
|
| 4 |
|
| 5 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2025-7365 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T20:16:26Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2025-7365 |
|
| 6 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-7365 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00014 |
| scoring_system |
epss |
| scoring_elements |
0.02484 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.00014 |
| scoring_system |
epss |
| scoring_elements |
0.02498 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03277 |
| published_at |
2026-04-18T12:55:00Z |
|
| 3 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03362 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03382 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03341 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03312 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03267 |
| published_at |
2026-04-16T12:55:00Z |
|
| 8 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03357 |
| published_at |
2026-04-07T12:55:00Z |
|
| 9 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03291 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-7365 |
|
| 7 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2378852 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5.4 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-10T20:16:26Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2378852 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.1.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.1.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 2 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 3 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 4 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 5 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 6 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 7 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 8 |
| vulnerability |
VCID-edwz-rqc3-fqa2 |
|
| 9 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 10 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 11 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 12 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 13 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 14 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 15 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 16 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 17 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 18 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 19 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 20 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 21 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.1.0 |
|
| 2 |
|
| 3 |
|
|
| aliases |
CVE-2025-7365, GHSA-xhpr-465j-7p9q
|
| risk_score |
3.2 |
| exploitability |
0.5 |
| weighted_severity |
6.4 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5f8r-n4mm-y3g6 |
|
| 5 |
| url |
VCID-5vwq-aqk5-nkh9 |
| vulnerability_id |
VCID-5vwq-aqk5-nkh9 |
| summary |
Keycloak's missing timestamp validation allows attackers to extend SAML response validity periods
A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-1190 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00016 |
| scoring_system |
epss |
| scoring_elements |
0.03614 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.04592 |
| published_at |
2026-04-08T12:55:00Z |
|
| 2 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.04549 |
| published_at |
2026-04-18T12:55:00Z |
|
| 3 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.0454 |
| published_at |
2026-04-16T12:55:00Z |
|
| 4 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.04564 |
| published_at |
2026-04-13T12:55:00Z |
|
| 5 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.0458 |
| published_at |
2026-04-12T12:55:00Z |
|
| 6 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.04597 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.04608 |
| published_at |
2026-04-09T12:55:00Z |
|
| 8 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.04543 |
| published_at |
2026-04-04T12:55:00Z |
|
| 9 |
| value |
0.00018 |
| scoring_system |
epss |
| scoring_elements |
0.04557 |
| published_at |
2026-04-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-1190 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-1190, GHSA-63v5-26vq-m4vm
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5vwq-aqk5-nkh9 |
|
| 6 |
| url |
VCID-5zh4-963a-q3gp |
| vulnerability_id |
VCID-5zh4-963a-q3gp |
| summary |
Keycloak vulnerable to session takeovers due to reuse of session identifiers
A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2025:21370 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-28T13:45:05Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2025:21370 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2025:21371 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-28T13:45:05Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2025:21371 |
|
| 2 |
| reference_url |
https://access.redhat.com/errata/RHSA-2025:22088 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-28T13:45:05Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2025:22088 |
|
| 3 |
| reference_url |
https://access.redhat.com/errata/RHSA-2025:22089 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-28T13:45:05Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2025:22089 |
|
| 4 |
|
| 5 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-12390 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.0135 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01345 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03043 |
| published_at |
2026-04-18T12:55:00Z |
|
| 3 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03101 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03106 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03131 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03093 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03069 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03057 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00015 |
| scoring_system |
epss |
| scoring_elements |
0.03033 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-12390 |
|
| 6 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2406793 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-28T13:45:05Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2406793 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
| reference_url |
https://github.com/keycloak/keycloak/issues/43853 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-28T13:45:05Z/ |
|
|
| url |
https://github.com/keycloak/keycloak/issues/43853 |
|
| 15 |
|
| 16 |
|
| 17 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2025-12390 |
| reference_id |
CVE-2025-12390 |
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-10-28T13:45:05Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2025-12390 |
|
| 18 |
|
| 19 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 2 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 3 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 4 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 5 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 6 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 7 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 8 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 9 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 10 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 11 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 12 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 13 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 14 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 15 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 16 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 17 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 18 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 19 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 20 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 21 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 22 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 23 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.0.0 |
|
|
| aliases |
CVE-2025-12390, GHSA-rg35-5v25-mqvp
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-5zh4-963a-q3gp |
|
| 7 |
| url |
VCID-6hy1-r23s-cbhy |
| vulnerability_id |
VCID-6hy1-r23s-cbhy |
| summary |
Duplicate Advisory: Keycloak Open Redirect vulnerability
# Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-w8gr-xwp4-r9f7. This link is maintained to preserve external references.
# Original Description
A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.8 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
7.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:L/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@25.0.6 |
| purl |
pkg:maven/org.keycloak/keycloak-services@25.0.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 2 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 3 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 4 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 5 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 6 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 7 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 8 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 9 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 10 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 11 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 12 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 13 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 14 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 15 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 16 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 17 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 18 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 19 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 20 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 21 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 22 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 23 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 24 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@25.0.6 |
|
|
| aliases |
GHSA-vvf8-2h68-9475
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6hy1-r23s-cbhy |
|
| 8 |
| url |
VCID-7c1j-kcbb-v3f1 |
| vulnerability_id |
VCID-7c1j-kcbb-v3f1 |
| summary |
Keycloak: Information disclosure of disabled user attributes via administrative endpoint
A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3911 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01414 |
| published_at |
2026-04-09T12:55:00Z |
|
| 1 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01407 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01402 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01254 |
| published_at |
2026-04-02T12:55:00Z |
|
| 4 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01408 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01413 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01773 |
| published_at |
2026-04-18T12:55:00Z |
|
| 7 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01788 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01786 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01775 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3911 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-3911, GHSA-xh32-c9wx-phrp
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7c1j-kcbb-v3f1 |
|
| 9 |
| url |
VCID-91gs-k267-3kbq |
| vulnerability_id |
VCID-91gs-k267-3kbq |
| summary |
Keycloak vulnerable to session hijacking via re-authentication
A flaw was found in Keycloak. An active keycloak session can be hijacked by initiating a new authentication (having the query parameter prompt=login) and forcing the user to enter his credentials once again. If the user cancels this re-authentication by clicking Restart login, the account takeover could take place as the new session, with a different SUB, will have the same SID as the previous session. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6787 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00385 |
| scoring_system |
epss |
| scoring_elements |
0.59694 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.00385 |
| scoring_system |
epss |
| scoring_elements |
0.59715 |
| published_at |
2026-04-08T12:55:00Z |
|
| 2 |
| value |
0.00385 |
| scoring_system |
epss |
| scoring_elements |
0.5967 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.00385 |
| scoring_system |
epss |
| scoring_elements |
0.59664 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00423 |
| scoring_system |
epss |
| scoring_elements |
0.62175 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.00423 |
| scoring_system |
epss |
| scoring_elements |
0.62156 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00423 |
| scoring_system |
epss |
| scoring_elements |
0.62192 |
| published_at |
2026-04-18T12:55:00Z |
|
| 7 |
| value |
0.00423 |
| scoring_system |
epss |
| scoring_elements |
0.62143 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00423 |
| scoring_system |
epss |
| scoring_elements |
0.62187 |
| published_at |
2026-04-16T12:55:00Z |
|
| 9 |
| value |
0.00423 |
| scoring_system |
epss |
| scoring_elements |
0.62164 |
| published_at |
2026-04-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6787 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 2 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 3 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 4 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 5 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 6 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 7 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 8 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 9 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 10 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 11 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 12 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 13 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 14 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 15 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 16 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 17 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 18 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 19 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 20 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 21 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 22 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 23 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 24 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 25 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 26 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 27 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 28 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 29 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 30 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 31 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 32 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.3 |
|
|
| aliases |
CVE-2023-6787, GHSA-c9h6-v78w-52wj
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-91gs-k267-3kbq |
|
| 10 |
| url |
VCID-9wzh-7ych-y7c6 |
| vulnerability_id |
VCID-9wzh-7ych-y7c6 |
| summary |
Keycloak vulnerable to log Injection during WebAuthn authentication or registration
A flaw was found in keycloak 22.0.5. Errors in browser client during setup/auth with "Security Key login" (WebAuthn) are written into the form, send to Keycloak and logged without escaping allowing log injection.
Acknowledgements:
Special thanks toTheresa Henze for reporting this issue and helping us improve our security. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6484 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00337 |
| scoring_system |
epss |
| scoring_elements |
0.56564 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.00337 |
| scoring_system |
epss |
| scoring_elements |
0.56595 |
| published_at |
2026-04-08T12:55:00Z |
|
| 2 |
| value |
0.00337 |
| scoring_system |
epss |
| scoring_elements |
0.56543 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.00337 |
| scoring_system |
epss |
| scoring_elements |
0.56544 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.0044 |
| scoring_system |
epss |
| scoring_elements |
0.63231 |
| published_at |
2026-04-16T12:55:00Z |
|
| 5 |
| value |
0.0044 |
| scoring_system |
epss |
| scoring_elements |
0.63239 |
| published_at |
2026-04-18T12:55:00Z |
|
| 6 |
| value |
0.0044 |
| scoring_system |
epss |
| scoring_elements |
0.63195 |
| published_at |
2026-04-13T12:55:00Z |
|
| 7 |
| value |
0.0044 |
| scoring_system |
epss |
| scoring_elements |
0.63247 |
| published_at |
2026-04-11T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6484 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@23.0.5 |
| purl |
pkg:maven/org.keycloak/keycloak-services@23.0.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 3 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 4 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 5 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 6 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 7 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 8 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 9 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 10 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 11 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 12 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 13 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 14 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 15 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 16 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 17 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 18 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 19 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 20 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 21 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 22 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 23 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 24 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 25 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 26 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 27 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 28 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 29 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 30 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 31 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 32 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 33 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 34 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 35 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 36 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 37 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 38 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 39 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 40 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 41 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 42 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@23.0.5 |
|
|
| aliases |
CVE-2023-6484, GHSA-j628-q885-8gr5
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9wzh-7ych-y7c6 |
|
| 11 |
| url |
VCID-ajcu-s4zn-63cn |
| vulnerability_id |
VCID-ajcu-s4zn-63cn |
| summary |
Keycloak secondary factor bypass in step-up authentication
Keycloak does not correctly validate its client step-up authentication. A password-authed attacker could use this flaw to register a false second auth factor, alongside the existing one, to a targeted account. The second factor then permits step-up authentication. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1866 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 1 |
| value |
5.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:08:53Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1866 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1867 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 1 |
| value |
5.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:08:53Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1867 |
|
| 2 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1868 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 1 |
| value |
5.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:08:53Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1868 |
|
| 3 |
|
| 4 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2023-3597 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 1 |
| value |
5.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:08:53Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2023-3597 |
|
| 5 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-3597 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25769 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25871 |
| published_at |
2026-04-09T12:55:00Z |
|
| 2 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25881 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.2584 |
| published_at |
2026-04-12T12:55:00Z |
|
| 4 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25784 |
| published_at |
2026-04-13T12:55:00Z |
|
| 5 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25786 |
| published_at |
2026-04-16T12:55:00Z |
|
| 6 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28573 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28375 |
| published_at |
2026-04-07T12:55:00Z |
|
| 8 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28531 |
| published_at |
2026-04-02T12:55:00Z |
|
| 9 |
| value |
0.00104 |
| scoring_system |
epss |
| scoring_elements |
0.28441 |
| published_at |
2026-04-08T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-3597 |
|
| 6 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2221760 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 1 |
| value |
5.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-02T15:08:53Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2221760 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 2 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 3 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 4 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 5 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 6 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 7 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 8 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 9 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 10 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 11 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 12 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 13 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 14 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 15 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 16 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 17 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 18 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 19 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 20 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 21 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 22 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 23 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 24 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 25 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 26 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 27 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 28 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 29 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 30 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 31 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 32 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.3 |
|
|
| aliases |
CVE-2023-3597, GHSA-4f53-xh3v-g8x4
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ajcu-s4zn-63cn |
|
| 12 |
| url |
VCID-bhrr-nn9f-7udu |
| vulnerability_id |
VCID-bhrr-nn9f-7udu |
| summary |
Duplicate Advisory: Keycloak vulnerable to two factor authentication bypass
# Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-5jfq-x6xp-7rw2. This link is maintained to preserve external references.
# Original Description
A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-fx44-2wx5-5fvp
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bhrr-nn9f-7udu |
|
| 13 |
| url |
VCID-by72-dvnw-m3gu |
| vulnerability_id |
VCID-by72-dvnw-m3gu |
| summary |
Keycloak Denial of Service (DoS) Vulnerability via JWT Token Cache
A flaw was found in Keycloak. When the configuration uses JWT tokens for authentication, the tokens are cached until expiration. If a client uses JWT tokens with an excessively long expiration time, for example, 24 or 48 hours, the cache can grow indefinitely, leading to an OutOfMemoryError. This issue could result in a denial of service condition, preventing legitimate users from accessing the system. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-2559 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00111 |
| scoring_system |
epss |
| scoring_elements |
0.29505 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00111 |
| scoring_system |
epss |
| scoring_elements |
0.29687 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00111 |
| scoring_system |
epss |
| scoring_elements |
0.29508 |
| published_at |
2026-04-07T12:55:00Z |
|
| 3 |
| value |
0.00111 |
| scoring_system |
epss |
| scoring_elements |
0.29571 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00111 |
| scoring_system |
epss |
| scoring_elements |
0.2961 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00111 |
| scoring_system |
epss |
| scoring_elements |
0.29612 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00111 |
| scoring_system |
epss |
| scoring_elements |
0.29567 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.00111 |
| scoring_system |
epss |
| scoring_elements |
0.29514 |
| published_at |
2026-04-13T12:55:00Z |
|
| 8 |
| value |
0.00111 |
| scoring_system |
epss |
| scoring_elements |
0.29533 |
| published_at |
2026-04-16T12:55:00Z |
|
| 9 |
| value |
0.00111 |
| scoring_system |
epss |
| scoring_elements |
0.29637 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-2559 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.1.5 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.1.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 2 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 3 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 4 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 5 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 6 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 7 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 8 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 9 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 10 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 11 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 12 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 13 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 14 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 15 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 16 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 17 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 18 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 19 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.1.5 |
|
|
| aliases |
CVE-2025-2559, GHSA-2935-2wfm-hhpv
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-by72-dvnw-m3gu |
|
| 14 |
| url |
VCID-cdsa-wmby-ebbq |
| vulnerability_id |
VCID-cdsa-wmby-ebbq |
| summary |
Duplicate Advisory: Keycloak hostname verification
# Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-hw58-3793-42gg. This link is maintained to preserve external references.
# Original Description
A flaw was found in Keycloak. By setting a verification policy to 'ALL', the trust store certificate verification is skipped, which is unintended. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-r934-w73g-v4p8
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cdsa-wmby-ebbq |
|
| 15 |
| url |
VCID-cgf7-vbkd-cua6 |
| vulnerability_id |
VCID-cgf7-vbkd-cua6 |
| summary |
Keycloak's improper input validation allows using email as username
Keycloak allows the use of email as a username and doesn't check that an account with this email already exists. That could lead to the unability to reset/login with email for the user. This is caused by usernames being evaluated before emails. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3754 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.12319 |
| scoring_system |
epss |
| scoring_elements |
0.93897 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.12319 |
| scoring_system |
epss |
| scoring_elements |
0.93832 |
| published_at |
2026-04-01T12:55:00Z |
|
| 2 |
| value |
0.12319 |
| scoring_system |
epss |
| scoring_elements |
0.93841 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.12319 |
| scoring_system |
epss |
| scoring_elements |
0.9385 |
| published_at |
2026-04-04T12:55:00Z |
|
| 4 |
| value |
0.12319 |
| scoring_system |
epss |
| scoring_elements |
0.93853 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.12319 |
| scoring_system |
epss |
| scoring_elements |
0.93861 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.12319 |
| scoring_system |
epss |
| scoring_elements |
0.93865 |
| published_at |
2026-04-09T12:55:00Z |
|
| 7 |
| value |
0.12319 |
| scoring_system |
epss |
| scoring_elements |
0.9387 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.12319 |
| scoring_system |
epss |
| scoring_elements |
0.93869 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.12319 |
| scoring_system |
epss |
| scoring_elements |
0.93891 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2021-3754 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.1 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 3 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 4 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 5 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 6 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 7 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 8 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 9 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 10 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 11 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 12 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 13 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 14 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 15 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 16 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 17 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 18 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 19 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 20 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 21 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 22 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 23 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 24 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 25 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 26 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 27 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 28 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 29 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 30 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 31 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 32 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 33 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 34 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 35 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 36 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 37 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 38 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 39 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 40 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.1 |
|
|
| aliases |
CVE-2021-3754, GHSA-4vc8-pg5c-vg4x
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-cgf7-vbkd-cua6 |
|
| 16 |
| url |
VCID-d2rd-6u56-yfd8 |
| vulnerability_id |
VCID-d2rd-6u56-yfd8 |
| summary |
Keycloak vulnerable to two factor authentication bypass
# Description
A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-3910 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00073 |
| scoring_system |
epss |
| scoring_elements |
0.22169 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00073 |
| scoring_system |
epss |
| scoring_elements |
0.22292 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00073 |
| scoring_system |
epss |
| scoring_elements |
0.22336 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00073 |
| scoring_system |
epss |
| scoring_elements |
0.22121 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00073 |
| scoring_system |
epss |
| scoring_elements |
0.22204 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00073 |
| scoring_system |
epss |
| scoring_elements |
0.22258 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00073 |
| scoring_system |
epss |
| scoring_elements |
0.22277 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00073 |
| scoring_system |
epss |
| scoring_elements |
0.22235 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00073 |
| scoring_system |
epss |
| scoring_elements |
0.22175 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-3910 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-3910, GHSA-5jfq-x6xp-7rw2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-d2rd-6u56-yfd8 |
|
| 17 |
| url |
VCID-d6ku-ys87-cqh4 |
| vulnerability_id |
VCID-d6ku-ys87-cqh4 |
| summary |
Keycloak has Vulnerable Redirect URI Validation Results in Open Redirect
A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost/ or http://127.0.0.1/, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-8883 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.05107 |
| scoring_system |
epss |
| scoring_elements |
0.89855 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.05107 |
| scoring_system |
epss |
| scoring_elements |
0.89801 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.05107 |
| scoring_system |
epss |
| scoring_elements |
0.89815 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.05107 |
| scoring_system |
epss |
| scoring_elements |
0.89819 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.05107 |
| scoring_system |
epss |
| scoring_elements |
0.89836 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.05107 |
| scoring_system |
epss |
| scoring_elements |
0.89843 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.05107 |
| scoring_system |
epss |
| scoring_elements |
0.89849 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.05107 |
| scoring_system |
epss |
| scoring_elements |
0.89847 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.05107 |
| scoring_system |
epss |
| scoring_elements |
0.8984 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.05107 |
| scoring_system |
epss |
| scoring_elements |
0.89854 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-8883 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@25.0.6 |
| purl |
pkg:maven/org.keycloak/keycloak-services@25.0.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 2 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 3 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 4 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 5 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 6 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 7 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 8 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 9 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 10 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 11 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 12 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 13 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 14 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 15 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 16 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 17 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 18 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 19 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 20 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 21 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 22 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 23 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 24 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@25.0.6 |
|
|
| aliases |
CVE-2024-8883, GHSA-w8gr-xwp4-r9f7
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-d6ku-ys87-cqh4 |
|
| 18 |
| url |
VCID-e4ub-v4ef-affb |
| vulnerability_id |
VCID-e4ub-v4ef-affb |
| summary |
Keycloak hostname verification
A flaw was found in Keycloak. By setting a verification policy to 'ANY', the trust store certificate verification is skipped, which is unintended. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-3501 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25879 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.26058 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.26099 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25867 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25936 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25988 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25998 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25954 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25895 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00092 |
| scoring_system |
epss |
| scoring_elements |
0.25898 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-3501 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-3501, GHSA-hw58-3793-42gg
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e4ub-v4ef-affb |
|
| 19 |
| url |
VCID-ezqk-pyhr-5ffj |
| vulnerability_id |
VCID-ezqk-pyhr-5ffj |
| summary |
Keycloak has session fixation in Elytron SAML adapters
A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-7341 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01738 |
| scoring_system |
epss |
| scoring_elements |
0.82525 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.01738 |
| scoring_system |
epss |
| scoring_elements |
0.8243 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.01738 |
| scoring_system |
epss |
| scoring_elements |
0.82448 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.01738 |
| scoring_system |
epss |
| scoring_elements |
0.82444 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.01738 |
| scoring_system |
epss |
| scoring_elements |
0.82471 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.01738 |
| scoring_system |
epss |
| scoring_elements |
0.82478 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.01738 |
| scoring_system |
epss |
| scoring_elements |
0.82496 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.01738 |
| scoring_system |
epss |
| scoring_elements |
0.82492 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.01738 |
| scoring_system |
epss |
| scoring_elements |
0.82487 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.01738 |
| scoring_system |
epss |
| scoring_elements |
0.82524 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-7341 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@25.0.5 |
| purl |
pkg:maven/org.keycloak/keycloak-services@25.0.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 2 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 3 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 4 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 5 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 6 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 7 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 8 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 9 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 10 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 11 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 12 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 13 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 14 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 15 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 16 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 17 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 18 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 19 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 20 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 21 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 22 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 23 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 24 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 25 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 26 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@25.0.5 |
|
|
| aliases |
CVE-2024-7341, GHSA-5rxp-2rhr-qwqv
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ezqk-pyhr-5ffj |
|
| 20 |
| url |
VCID-gnxr-2t9g-4ye4 |
| vulnerability_id |
VCID-gnxr-2t9g-4ye4 |
| summary |
Keycloak SMTP Inject Vulnerability
Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-8419 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0002 |
| scoring_system |
epss |
| scoring_elements |
0.05423 |
| published_at |
2026-04-07T12:55:00Z |
|
| 1 |
| value |
0.0002 |
| scoring_system |
epss |
| scoring_elements |
0.05458 |
| published_at |
2026-04-08T12:55:00Z |
|
| 2 |
| value |
0.0002 |
| scoring_system |
epss |
| scoring_elements |
0.05415 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.0002 |
| scoring_system |
epss |
| scoring_elements |
0.05384 |
| published_at |
2026-04-02T12:55:00Z |
|
| 4 |
| value |
0.0002 |
| scoring_system |
epss |
| scoring_elements |
0.05478 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00022 |
| scoring_system |
epss |
| scoring_elements |
0.05908 |
| published_at |
2026-04-18T12:55:00Z |
|
| 6 |
| value |
0.00022 |
| scoring_system |
epss |
| scoring_elements |
0.0595 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00022 |
| scoring_system |
epss |
| scoring_elements |
0.05941 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00022 |
| scoring_system |
epss |
| scoring_elements |
0.05932 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00022 |
| scoring_system |
epss |
| scoring_elements |
0.05897 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-8419 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-8419, GHSA-m4j5-5x4r-2xp9
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gnxr-2t9g-4ye4 |
|
| 21 |
| url |
VCID-gzz6-md9v-b3em |
| vulnerability_id |
VCID-gzz6-md9v-b3em |
| summary |
Keycloak allows authentication using an Identity Provider (IdP) even after it has been disabled by an administrator
A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3009 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00027 |
| scoring_system |
epss |
| scoring_elements |
0.07718 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.00027 |
| scoring_system |
epss |
| scoring_elements |
0.07686 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.09089 |
| published_at |
2026-04-08T12:55:00Z |
|
| 3 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.09121 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.0909 |
| published_at |
2026-04-12T12:55:00Z |
|
| 5 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.09009 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.09076 |
| published_at |
2026-04-13T12:55:00Z |
|
| 7 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.08971 |
| published_at |
2026-04-16T12:55:00Z |
|
| 8 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.0895 |
| published_at |
2026-04-18T12:55:00Z |
|
| 9 |
| value |
0.00032 |
| scoring_system |
epss |
| scoring_elements |
0.0912 |
| published_at |
2026-04-09T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3009 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-3009, GHSA-m297-3jv9-m927
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gzz6-md9v-b3em |
|
| 22 |
| url |
VCID-htax-rbrs-mbdu |
| vulnerability_id |
VCID-htax-rbrs-mbdu |
| summary |
Keycloak Denial of Service via account lockout
In any realm set with "User (Self) registration" a user that is registered with a username in email format can be "locked out" (denied from logging in) using his username. |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-1722 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00407 |
| scoring_system |
epss |
| scoring_elements |
0.61158 |
| published_at |
2026-04-12T12:55:00Z |
|
| 1 |
| value |
0.00407 |
| scoring_system |
epss |
| scoring_elements |
0.61171 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.00407 |
| scoring_system |
epss |
| scoring_elements |
0.61151 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00407 |
| scoring_system |
epss |
| scoring_elements |
0.61093 |
| published_at |
2026-04-02T12:55:00Z |
|
| 4 |
| value |
0.00407 |
| scoring_system |
epss |
| scoring_elements |
0.61135 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00407 |
| scoring_system |
epss |
| scoring_elements |
0.61121 |
| published_at |
2026-04-04T12:55:00Z |
|
| 6 |
| value |
0.00407 |
| scoring_system |
epss |
| scoring_elements |
0.61087 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.00407 |
| scoring_system |
epss |
| scoring_elements |
0.61185 |
| published_at |
2026-04-18T12:55:00Z |
|
| 8 |
| value |
0.00407 |
| scoring_system |
epss |
| scoring_elements |
0.61179 |
| published_at |
2026-04-16T12:55:00Z |
|
| 9 |
| value |
0.00407 |
| scoring_system |
epss |
| scoring_elements |
0.61139 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-1722 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.0 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 3 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 4 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 5 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 6 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 7 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 8 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 9 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 10 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 11 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 12 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 13 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 14 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 15 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 16 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 17 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 18 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 19 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 20 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 21 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 22 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 23 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 24 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 25 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 26 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 27 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 28 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 29 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 30 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 31 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 32 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 33 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 34 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 35 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 36 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 37 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 38 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 39 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 40 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 41 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.0 |
|
|
| aliases |
CVE-2024-1722, GHSA-cq42-vhv7-xr7p
|
| risk_score |
1.6 |
| exploitability |
0.5 |
| weighted_severity |
3.3 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-htax-rbrs-mbdu |
|
| 23 |
| url |
VCID-j4ar-u2rr-qkfu |
| vulnerability_id |
VCID-j4ar-u2rr-qkfu |
| summary |
Keycloak exposes sensitive information in Pushed Authorization Requests (PAR)
A flaw was found in Keycloak in the OAuth 2.0 Pushed Authorization Requests (PAR). Client provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a request_uri authorization request. This could lead to an information disclosure vulnerability. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-4540 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00274 |
| scoring_system |
epss |
| scoring_elements |
0.50885 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00274 |
| scoring_system |
epss |
| scoring_elements |
0.50799 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00274 |
| scoring_system |
epss |
| scoring_elements |
0.50824 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00274 |
| scoring_system |
epss |
| scoring_elements |
0.50782 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00274 |
| scoring_system |
epss |
| scoring_elements |
0.50839 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00274 |
| scoring_system |
epss |
| scoring_elements |
0.50837 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00274 |
| scoring_system |
epss |
| scoring_elements |
0.50879 |
| published_at |
2026-04-16T12:55:00Z |
|
| 7 |
| value |
0.00274 |
| scoring_system |
epss |
| scoring_elements |
0.50856 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00274 |
| scoring_system |
epss |
| scoring_elements |
0.50841 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-4540 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.5 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 2 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 3 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 4 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 5 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 6 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 7 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 8 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 9 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 10 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 11 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 12 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 13 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 14 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 15 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 16 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 17 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 18 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 19 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 20 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 21 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 22 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 23 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 24 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 25 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 26 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 27 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 28 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.5 |
|
|
| aliases |
CVE-2024-4540, GHSA-69fp-7c8p-crjr
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-j4ar-u2rr-qkfu |
|
| 24 |
| url |
VCID-ju1d-vwgb-bqbn |
| vulnerability_id |
VCID-ju1d-vwgb-bqbn |
| summary |
Keycloak Authorization Bypass vulnerability
Due to a permissive regular expression hardcoded for filtering allowed hosts to register a dynamic client, a malicious user with enough information about the environment could benefit and jeopardize an environment with this specific Dynamic Client Registration with TrustedDomain configuration previously unauthorized.
#### Acknowledgements:
Special thanks to Bastian Kanbach for reporting this issue and helping us improve our security. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6544 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01005 |
| scoring_system |
epss |
| scoring_elements |
0.76983 |
| published_at |
2026-04-07T12:55:00Z |
|
| 1 |
| value |
0.01005 |
| scoring_system |
epss |
| scoring_elements |
0.77002 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.01005 |
| scoring_system |
epss |
| scoring_elements |
0.76973 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.01005 |
| scoring_system |
epss |
| scoring_elements |
0.77015 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.01309 |
| scoring_system |
epss |
| scoring_elements |
0.79818 |
| published_at |
2026-04-18T12:55:00Z |
|
| 5 |
| value |
0.01309 |
| scoring_system |
epss |
| scoring_elements |
0.79791 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.01309 |
| scoring_system |
epss |
| scoring_elements |
0.79813 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.01309 |
| scoring_system |
epss |
| scoring_elements |
0.79797 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.01309 |
| scoring_system |
epss |
| scoring_elements |
0.79789 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.01309 |
| scoring_system |
epss |
| scoring_elements |
0.79817 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6544 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 2 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 3 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 4 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 5 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 6 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 7 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 8 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 9 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 10 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 11 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 12 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 13 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 14 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 15 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 16 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 17 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 18 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 19 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 20 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 21 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 22 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 23 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 24 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 25 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 26 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 27 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 28 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 29 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 30 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 31 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 32 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.3 |
|
|
| aliases |
CVE-2023-6544, GHSA-46c8-635v-68r2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ju1d-vwgb-bqbn |
|
| 25 |
| url |
VCID-m3uj-4mag-kbf2 |
| vulnerability_id |
VCID-m3uj-4mag-kbf2 |
| summary |
Keycloak: Missing Check on Disabled Client for Docker Registry Protocol
A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-2733 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12651 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12873 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12924 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12727 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12807 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12857 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12823 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12787 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12741 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00042 |
| scoring_system |
epss |
| scoring_elements |
0.12643 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-2733 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-2733, GHSA-fjf4-6f34-w64q
|
| risk_score |
1.7 |
| exploitability |
0.5 |
| weighted_severity |
3.4 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-m3uj-4mag-kbf2 |
|
| 26 |
| url |
VCID-mku9-3bpp-aqbk |
| vulnerability_id |
VCID-mku9-3bpp-aqbk |
| summary |
Duplicate Advisory: Keycloak Privilege Escalation Vulnerability in Admin Console (FGAPv2 Enabled)
### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-27gp-8389-hm4w. This link is maintained to preserve external references.
### Original Description
A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions (FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. This vulnerability allows unauthorized elevation of access rights, compromising the intended separation of administrative duties and posing a security risk to the realm. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-83j7-mhw9-388w
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mku9-3bpp-aqbk |
|
| 27 |
| url |
VCID-n76a-pfh2-57bn |
| vulnerability_id |
VCID-n76a-pfh2-57bn |
| summary |
Duplicate Advisory: Keycloak has a brute force login protection bypass
## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-gc7q-jgjv-vjr2. This link is maintained to preserve external references.
## Original Description
A vulnerability was found in Keycloak. This flaw allows attackers to bypass brute force protection by exploiting the timing of login attempts. By initiating multiple login requests simultaneously, attackers can exceed the configured limits for failed attempts before the system locks them out. This timing loophole enables attackers to make more guesses at passwords than intended, potentially compromising account security on affected systems. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.4 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 2 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 3 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 4 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 5 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 6 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 7 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 8 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 9 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 10 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 11 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 12 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 13 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 14 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 15 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 16 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 17 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 18 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 19 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 20 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 21 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 22 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 23 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 24 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 25 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 26 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 27 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 28 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 29 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 30 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 31 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.4 |
|
|
| aliases |
GHSA-8wm9-24qg-m5qj
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-n76a-pfh2-57bn |
|
| 28 |
| url |
VCID-nxhc-rp71-hbdk |
| vulnerability_id |
VCID-nxhc-rp71-hbdk |
| summary |
Duplicate Advisory: Keycloak phishing attack via email verification step in first login flow
### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-xhpr-465j-7p9q. This link is maintained to preserve external references.
### Original Description
A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
GHSA-gj52-35xm-gxjh
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-nxhc-rp71-hbdk |
|
| 29 |
| url |
VCID-pjgz-fa5h-tkfh |
| vulnerability_id |
VCID-pjgz-fa5h-tkfh |
| summary |
org.keycloak:keycloak-services has Inefficient Regular Expression Complexity
A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:10175 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:15:02Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:10175 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:10176 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:15:02Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:10176 |
|
| 2 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:10177 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:15:02Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:10177 |
|
| 3 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:10178 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:15:02Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:10178 |
|
| 4 |
|
| 5 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2024-10270 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:15:02Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2024-10270 |
|
| 6 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-10270 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00088 |
| scoring_system |
epss |
| scoring_elements |
0.25053 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00088 |
| scoring_system |
epss |
| scoring_elements |
0.25107 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00088 |
| scoring_system |
epss |
| scoring_elements |
0.25064 |
| published_at |
2026-04-16T12:55:00Z |
|
| 3 |
| value |
0.00088 |
| scoring_system |
epss |
| scoring_elements |
0.25133 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00088 |
| scoring_system |
epss |
| scoring_elements |
0.25056 |
| published_at |
2026-04-18T12:55:00Z |
|
| 5 |
| value |
0.00088 |
| scoring_system |
epss |
| scoring_elements |
0.25148 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00163 |
| scoring_system |
epss |
| scoring_elements |
0.37311 |
| published_at |
2026-04-02T12:55:00Z |
|
| 7 |
| value |
0.00163 |
| scoring_system |
epss |
| scoring_elements |
0.37216 |
| published_at |
2026-04-08T12:55:00Z |
|
| 8 |
| value |
0.00163 |
| scoring_system |
epss |
| scoring_elements |
0.37165 |
| published_at |
2026-04-07T12:55:00Z |
|
| 9 |
| value |
0.00163 |
| scoring_system |
epss |
| scoring_elements |
0.37337 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-10270 |
|
| 7 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2321214 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-25T17:15:02Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2321214 |
|
| 8 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
7.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.0.6 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.0.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 2 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 3 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 4 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 5 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 6 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 7 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 8 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 9 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 10 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 11 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 12 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 13 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 14 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 15 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 16 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 17 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 18 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 19 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 20 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 21 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.0.6 |
|
|
| aliases |
CVE-2024-10270, GHSA-wq8x-cg39-8mrr
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-pjgz-fa5h-tkfh |
|
| 30 |
| url |
VCID-qgbq-s33g-d7af |
| vulnerability_id |
VCID-qgbq-s33g-d7af |
| summary |
Keycloak: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API
A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered MFA/OTP credential without first proving possession of that factor. The attacker can then register their own MFA device, effectively taking full control of the account. This weakness undermines the intended protection provided by multi-factor authentication. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3429 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00045 |
| scoring_system |
epss |
| scoring_elements |
0.13935 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.00053 |
| scoring_system |
epss |
| scoring_elements |
0.16588 |
| published_at |
2026-04-07T12:55:00Z |
|
| 2 |
| value |
0.00053 |
| scoring_system |
epss |
| scoring_elements |
0.16673 |
| published_at |
2026-04-08T12:55:00Z |
|
| 3 |
| value |
0.00053 |
| scoring_system |
epss |
| scoring_elements |
0.16727 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00053 |
| scoring_system |
epss |
| scoring_elements |
0.16706 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.00054 |
| scoring_system |
epss |
| scoring_elements |
0.16989 |
| published_at |
2026-04-04T12:55:00Z |
|
| 6 |
| value |
0.00061 |
| scoring_system |
epss |
| scoring_elements |
0.19006 |
| published_at |
2026-04-18T12:55:00Z |
|
| 7 |
| value |
0.00061 |
| scoring_system |
epss |
| scoring_elements |
0.19091 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00061 |
| scoring_system |
epss |
| scoring_elements |
0.19038 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00061 |
| scoring_system |
epss |
| scoring_elements |
0.18994 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-3429 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-3429, GHSA-8g9r-9wjw-37j4
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qgbq-s33g-d7af |
|
| 31 |
| url |
VCID-rrkd-31d4-9yaq |
| vulnerability_id |
VCID-rrkd-31d4-9yaq |
| summary |
Keycloak vulnerable to LDAP Injection on UsernameForm Login
A flaw was found in the Keycloak package. This flaw allows an attacker to benefit from an LDAP query and access existing usernames in the server. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-2232 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00083 |
| scoring_system |
epss |
| scoring_elements |
0.24445 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.00083 |
| scoring_system |
epss |
| scoring_elements |
0.24479 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00113 |
| scoring_system |
epss |
| scoring_elements |
0.29831 |
| published_at |
2026-04-18T12:55:00Z |
|
| 3 |
| value |
0.00113 |
| scoring_system |
epss |
| scoring_elements |
0.29826 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00113 |
| scoring_system |
epss |
| scoring_elements |
0.29888 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00113 |
| scoring_system |
epss |
| scoring_elements |
0.29924 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00113 |
| scoring_system |
epss |
| scoring_elements |
0.29929 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00113 |
| scoring_system |
epss |
| scoring_elements |
0.29883 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00113 |
| scoring_system |
epss |
| scoring_elements |
0.29834 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00113 |
| scoring_system |
epss |
| scoring_elements |
0.29852 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-2232 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@23.0.1 |
| purl |
pkg:maven/org.keycloak/keycloak-services@23.0.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-2dgt-7k4f-fyce |
|
| 2 |
| vulnerability |
VCID-3sh8-6vsc-1uae |
|
| 3 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 4 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 5 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 6 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 7 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 8 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 9 |
| vulnerability |
VCID-91gs-k267-3kbq |
|
| 10 |
| vulnerability |
VCID-9wzh-7ych-y7c6 |
|
| 11 |
| vulnerability |
VCID-ajcu-s4zn-63cn |
|
| 12 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 13 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 14 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 15 |
| vulnerability |
VCID-cgf7-vbkd-cua6 |
|
| 16 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 17 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 18 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 19 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 20 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 21 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 22 |
| vulnerability |
VCID-htax-rbrs-mbdu |
|
| 23 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 24 |
| vulnerability |
VCID-ju1d-vwgb-bqbn |
|
| 25 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 26 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 27 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 28 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 29 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 30 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 31 |
| vulnerability |
VCID-sgbm-r5mm-sbbx |
|
| 32 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 33 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 34 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 35 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 36 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 37 |
| vulnerability |
VCID-whsx-d6an-hkdm |
|
| 38 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 39 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 40 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 41 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 42 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
| 43 |
| vulnerability |
VCID-z2bw-n4x2-a7gj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@23.0.1 |
|
|
| aliases |
CVE-2022-2232, GHSA-8hc5-rmgf-qx6p
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-rrkd-31d4-9yaq |
|
| 32 |
| url |
VCID-sgbm-r5mm-sbbx |
| vulnerability_id |
VCID-sgbm-r5mm-sbbx |
| summary |
Keycloak path traversal vulnerability in redirection validation
A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field.
#### Acknowledgements:
Special thanks to Axel Flamcourt for reporting this issue and helping us improve our project. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1860 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1860 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1861 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1861 |
|
| 2 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1862 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1862 |
|
| 3 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1864 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1864 |
|
| 4 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1866 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1866 |
|
| 5 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1867 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1867 |
|
| 6 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1868 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1868 |
|
| 7 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:2945 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:2945 |
|
| 8 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:3752 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:3752 |
|
| 9 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:3762 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:3762 |
|
| 10 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:3919 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:3919 |
|
| 11 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:3989 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:3989 |
|
| 12 |
|
| 13 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2024-1132 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2024-1132 |
|
| 14 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-1132 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00251 |
| scoring_system |
epss |
| scoring_elements |
0.48439 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.00251 |
| scoring_system |
epss |
| scoring_elements |
0.4846 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00326 |
| scoring_system |
epss |
| scoring_elements |
0.55624 |
| published_at |
2026-04-18T12:55:00Z |
|
| 3 |
| value |
0.00326 |
| scoring_system |
epss |
| scoring_elements |
0.55559 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00326 |
| scoring_system |
epss |
| scoring_elements |
0.55611 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00326 |
| scoring_system |
epss |
| scoring_elements |
0.55612 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00326 |
| scoring_system |
epss |
| scoring_elements |
0.55621 |
| published_at |
2026-04-16T12:55:00Z |
|
| 7 |
| value |
0.00326 |
| scoring_system |
epss |
| scoring_elements |
0.556 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00326 |
| scoring_system |
epss |
| scoring_elements |
0.55583 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-1132 |
|
| 15 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2262117 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track* |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-04-23T18:37:10Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2262117 |
|
| 16 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
8.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
|
| 1 |
| value |
8.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 2 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 3 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 4 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 5 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 6 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 7 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 8 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 9 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 10 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 11 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 12 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 13 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 14 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 15 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 16 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 17 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 18 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 19 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 20 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 21 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 22 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 23 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 24 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 25 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 26 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 27 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 28 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 29 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 30 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 31 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 32 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.3 |
|
|
| aliases |
CVE-2024-1132, GHSA-72vp-xfrc-42xm
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-sgbm-r5mm-sbbx |
|
| 33 |
| url |
VCID-uuf2-u7xh-uuef |
| vulnerability_id |
VCID-uuf2-u7xh-uuef |
| summary |
Keycloak does not invalidate offline sessions when the offline_access scope is removed
A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-12110 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17422 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17639 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17685 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17403 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17495 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17556 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17569 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17522 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17469 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00056 |
| scoring_system |
epss |
| scoring_elements |
0.17411 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-12110 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-12110, GHSA-895x-rfqp-jh5c
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-uuf2-u7xh-uuef |
|
| 34 |
| url |
VCID-v7r6-3873-77dc |
| vulnerability_id |
VCID-v7r6-3873-77dc |
| summary |
Duplicate Advisory: Keycloak exposes sensitive information in Pushed Authorization Requests (PAR)
## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-69fp-7c8p-crjr. This link is maintained to preserve external references.
## Original Description
A flaw was found in Keycloak in OAuth 2.0 Pushed Authorization Requests (PAR). Client-provided parameters were found to be included in plain text in the KC_RESTART cookie returned by the authorization server's HTTP response to a `request_uri` authorization request, possibly leading to an information disclosure vulnerability. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.5 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 2 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 3 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 4 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 5 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 6 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 7 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 8 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 9 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 10 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 11 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 12 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 13 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 14 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 15 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 16 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 17 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 18 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 19 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 20 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 21 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 22 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 23 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 24 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 25 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 26 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 27 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 28 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.5 |
|
|
| aliases |
GHSA-4vrx-8phj-x3mg
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-v7r6-3873-77dc |
|
| 35 |
| url |
VCID-ver5-9t6m-c3ef |
| vulnerability_id |
VCID-ver5-9t6m-c3ef |
| summary |
Keycloak Admin REST API exposes backend schema and rules
A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-14083 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00035 |
| scoring_system |
epss |
| scoring_elements |
0.10165 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.00037 |
| scoring_system |
epss |
| scoring_elements |
0.1077 |
| published_at |
2026-04-18T12:55:00Z |
|
| 2 |
| value |
0.00037 |
| scoring_system |
epss |
| scoring_elements |
0.10994 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00037 |
| scoring_system |
epss |
| scoring_elements |
0.10819 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00037 |
| scoring_system |
epss |
| scoring_elements |
0.10894 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00037 |
| scoring_system |
epss |
| scoring_elements |
0.10947 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00037 |
| scoring_system |
epss |
| scoring_elements |
0.10948 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00037 |
| scoring_system |
epss |
| scoring_elements |
0.10915 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00037 |
| scoring_system |
epss |
| scoring_elements |
0.10893 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00037 |
| scoring_system |
epss |
| scoring_elements |
0.10758 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-14083 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-14083, GHSA-594w-2fwp-jwrc
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ver5-9t6m-c3ef |
|
| 36 |
| url |
VCID-vstv-ec14-quc5 |
| vulnerability_id |
VCID-vstv-ec14-quc5 |
| summary |
Duplicate Advisory: org.keycloak:keycloak-services has Inefficient Regular Expression Complexity
## Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-wq8x-cg39-8mrr. This link is maintained to preserve external references.
## Original Description
A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity. |
| references |
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@26.0.6 |
| purl |
pkg:maven/org.keycloak/keycloak-services@26.0.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 2 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 3 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 4 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 5 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 6 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 7 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 8 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 9 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 10 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 11 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 12 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 13 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 14 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 15 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 16 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 17 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 18 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 19 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 20 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 21 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@26.0.6 |
|
|
| aliases |
GHSA-j3x3-r585-4qhg
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vstv-ec14-quc5 |
|
| 37 |
| url |
VCID-w5f1-xryr-fucq |
| vulnerability_id |
VCID-w5f1-xryr-fucq |
| summary |
Keycloak does not validate and update refresh token usage atomically
A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak’s refresh token rotation hardening can be undermined. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-1035 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01222 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01204 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01219 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01228 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01234 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01237 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.0122 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01214 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01216 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01209 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-1035 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-1035, GHSA-m2w5-7xhv-w6fh
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-w5f1-xryr-fucq |
|
| 38 |
| url |
VCID-whsx-d6an-hkdm |
| vulnerability_id |
VCID-whsx-d6an-hkdm |
| summary |
Keycloak Cross-site Scripting (XSS) via assertion consumer service URL in SAML POST-binding flow
Keycloak allows arbitrary URLs as SAML Assertion Consumer Service POST Binding URL (ACS), including JavaScript URIs (javascript:).
Allowing JavaScript URIs in combination with HTML forms leads to JavaScript evaluation in the context of the embedding origin on form submission.
#### Acknowledgements:
Special thanks to Lauritz Holtmann for reporting this issue and helping us improve our project. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1353 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-25T19:15:14Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1353 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1867 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-25T19:15:14Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1867 |
|
| 2 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:1868 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-25T19:15:14Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:1868 |
|
| 3 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:2945 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-25T19:15:14Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:2945 |
|
| 4 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:4057 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-25T19:15:14Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:4057 |
|
| 5 |
|
| 6 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2023-6717 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-25T19:15:14Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2023-6717 |
|
| 7 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6717 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00076 |
| scoring_system |
epss |
| scoring_elements |
0.22709 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00076 |
| scoring_system |
epss |
| scoring_elements |
0.22752 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00076 |
| scoring_system |
epss |
| scoring_elements |
0.22695 |
| published_at |
2026-04-13T12:55:00Z |
|
| 3 |
| value |
0.00076 |
| scoring_system |
epss |
| scoring_elements |
0.22712 |
| published_at |
2026-04-16T12:55:00Z |
|
| 4 |
| value |
0.00076 |
| scoring_system |
epss |
| scoring_elements |
0.22791 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.00078 |
| scoring_system |
epss |
| scoring_elements |
0.2322 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00078 |
| scoring_system |
epss |
| scoring_elements |
0.23263 |
| published_at |
2026-04-02T12:55:00Z |
|
| 7 |
| value |
0.00078 |
| scoring_system |
epss |
| scoring_elements |
0.23306 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.00078 |
| scoring_system |
epss |
| scoring_elements |
0.23096 |
| published_at |
2026-04-07T12:55:00Z |
|
| 9 |
| value |
0.00078 |
| scoring_system |
epss |
| scoring_elements |
0.23169 |
| published_at |
2026-04-08T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-6717 |
|
| 8 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2253952 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 1 |
| value |
6.0 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-04-25T19:15:14Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2253952 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 2 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 3 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 4 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 5 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 6 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 7 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 8 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 9 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 10 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 11 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 12 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 13 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 14 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 15 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 16 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 17 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 18 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 19 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 20 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 21 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 22 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 23 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 24 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 25 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 26 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 27 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 28 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 29 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 30 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 31 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 32 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.3 |
|
|
| aliases |
CVE-2023-6717, GHSA-8rmm-gm28-pj8q
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-whsx-d6an-hkdm |
|
| 39 |
| url |
VCID-x4aw-v76q-vbdc |
| vulnerability_id |
VCID-x4aw-v76q-vbdc |
| summary |
Keycloak REST Services has a WebAuthn Attestation Statement Verification Bypass
A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require direct attestation. This can lead to weakened authentication integrity and unauthorized authenticator registration. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-12150 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01605 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01613 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01619 |
| published_at |
2026-04-07T12:55:00Z |
|
| 3 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.0162 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01627 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01604 |
| published_at |
2026-04-12T12:55:00Z |
|
| 6 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01603 |
| published_at |
2026-04-13T12:55:00Z |
|
| 7 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01591 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-12150 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-12150, GHSA-7g5x-9c4v-4w5r
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-x4aw-v76q-vbdc |
|
| 40 |
| url |
VCID-xd7x-aevv-cfcp |
| vulnerability_id |
VCID-xd7x-aevv-cfcp |
| summary |
Keycloak: Denial of Service due to excessive SAMLRequest decompression
A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-2575 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08376 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08475 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08531 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08449 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08523 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08543 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08537 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08517 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08501 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.0003 |
| scoring_system |
epss |
| scoring_elements |
0.08393 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-2575 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-2575, GHSA-xv6h-r36f-3gp5
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xd7x-aevv-cfcp |
|
| 41 |
| url |
VCID-xfnw-15sz-zyfr |
| vulnerability_id |
VCID-xfnw-15sz-zyfr |
| summary |
Keycloak Admin REST (Representational State Transfer) API does not properly enforce permissions
A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-14082 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00011 |
| scoring_system |
epss |
| scoring_elements |
0.01382 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01613 |
| published_at |
2026-04-09T12:55:00Z |
|
| 2 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01605 |
| published_at |
2026-04-07T12:55:00Z |
|
| 3 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01607 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00012 |
| scoring_system |
epss |
| scoring_elements |
0.01604 |
| published_at |
2026-04-04T12:55:00Z |
|
| 5 |
| value |
0.00013 |
| scoring_system |
epss |
| scoring_elements |
0.021 |
| published_at |
2026-04-18T12:55:00Z |
|
| 6 |
| value |
0.00013 |
| scoring_system |
epss |
| scoring_elements |
0.02131 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00013 |
| scoring_system |
epss |
| scoring_elements |
0.02116 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00013 |
| scoring_system |
epss |
| scoring_elements |
0.02111 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00013 |
| scoring_system |
epss |
| scoring_elements |
0.02087 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-14082 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-14082, GHSA-6q37-7866-h27j
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xfnw-15sz-zyfr |
|
| 42 |
| url |
VCID-y1h3-yyn9-53fr |
| vulnerability_id |
VCID-y1h3-yyn9-53fr |
| summary |
Keycloak: Unauthorized authentication via disabled SAML Identity Provider
A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-2603 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00172 |
| scoring_system |
epss |
| scoring_elements |
0.3858 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.00172 |
| scoring_system |
epss |
| scoring_elements |
0.38518 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.00172 |
| scoring_system |
epss |
| scoring_elements |
0.38504 |
| published_at |
2026-04-09T12:55:00Z |
|
| 3 |
| value |
0.00172 |
| scoring_system |
epss |
| scoring_elements |
0.38495 |
| published_at |
2026-04-08T12:55:00Z |
|
| 4 |
| value |
0.00172 |
| scoring_system |
epss |
| scoring_elements |
0.38444 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.00172 |
| scoring_system |
epss |
| scoring_elements |
0.38556 |
| published_at |
2026-04-02T12:55:00Z |
|
| 6 |
| value |
0.00227 |
| scoring_system |
epss |
| scoring_elements |
0.45478 |
| published_at |
2026-04-18T12:55:00Z |
|
| 7 |
| value |
0.00227 |
| scoring_system |
epss |
| scoring_elements |
0.45429 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00227 |
| scoring_system |
epss |
| scoring_elements |
0.4543 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.00227 |
| scoring_system |
epss |
| scoring_elements |
0.45482 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-2603 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-2603, GHSA-x4p7-7chp-64hq
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-y1h3-yyn9-53fr |
|
| 43 |
| url |
VCID-ysyw-rgyv-bkhj |
| vulnerability_id |
VCID-ysyw-rgyv-bkhj |
| summary |
Keycloak Services has a potential bypass of brute force protection
If an attacker launches many login attempts in parallel then the attacker can have more guesses at a password than the brute force protection configuration permits. This is due to the brute force check occurring before the brute force protector has locked the user.
**Acknowledgements:**
Special thanks to Maurizio Agazzini for reporting this issue and helping us improve our project. |
| references |
| 0 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6493 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:20:28Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6493 |
|
| 1 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6494 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:20:28Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6494 |
|
| 2 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6495 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:20:28Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6495 |
|
| 3 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6497 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:20:28Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6497 |
|
| 4 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6499 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:20:28Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6499 |
|
| 5 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6500 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:20:28Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6500 |
|
| 6 |
| reference_url |
https://access.redhat.com/errata/RHSA-2024:6501 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:20:28Z/ |
|
|
| url |
https://access.redhat.com/errata/RHSA-2024:6501 |
|
| 7 |
|
| 8 |
| reference_url |
https://access.redhat.com/security/cve/CVE-2024-4629 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:20:28Z/ |
|
|
| url |
https://access.redhat.com/security/cve/CVE-2024-4629 |
|
| 9 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-4629 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01093 |
| scoring_system |
epss |
| scoring_elements |
0.78008 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.01093 |
| scoring_system |
epss |
| scoring_elements |
0.77923 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.01093 |
| scoring_system |
epss |
| scoring_elements |
0.77951 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.01093 |
| scoring_system |
epss |
| scoring_elements |
0.77933 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.01093 |
| scoring_system |
epss |
| scoring_elements |
0.7796 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.01093 |
| scoring_system |
epss |
| scoring_elements |
0.77964 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.01093 |
| scoring_system |
epss |
| scoring_elements |
0.77991 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.01093 |
| scoring_system |
epss |
| scoring_elements |
0.77975 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.01093 |
| scoring_system |
epss |
| scoring_elements |
0.77973 |
| published_at |
2026-04-13T12:55:00Z |
|
| 9 |
| value |
0.01093 |
| scoring_system |
epss |
| scoring_elements |
0.78009 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-4629 |
|
| 10 |
| reference_url |
https://bugzilla.redhat.com/show_bug.cgi?id=2276761 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 3 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-09-03T20:20:28Z/ |
|
|
| url |
https://bugzilla.redhat.com/show_bug.cgi?id=2276761 |
|
| 11 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@25.0.4 |
| purl |
pkg:maven/org.keycloak/keycloak-services@25.0.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 2 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 3 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 4 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 5 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 6 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 7 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 8 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 9 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 10 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 11 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 12 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 13 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 14 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 15 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 16 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 17 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 18 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 19 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 20 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 21 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 22 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 23 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 24 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 25 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 26 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 27 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@25.0.4 |
|
|
| aliases |
CVE-2024-4629, GHSA-gc7q-jgjv-vjr2
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ysyw-rgyv-bkhj |
|
| 44 |
| url |
VCID-z2bw-n4x2-a7gj |
| vulnerability_id |
VCID-z2bw-n4x2-a7gj |
| summary |
Keycloak's unvalidated cross-origin messages in checkLoginIframe leads to DDoS
A potential security flaw in the "checkLoginIframe" which allows unvalidated cross-origin messages, enabling potential DDoS attacks. By exploiting this vulnerability, attackers could coordinate to send millions of requests in seconds using simple code, significantly impacting the application's availability without proper origin validation for incoming messages.
#### Acknowledgements
Special thanks to Adriano Márcio Monteiro from BRZTEC for reporting this issue and helping us improve our project. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-1249 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0017 |
| scoring_system |
epss |
| scoring_elements |
0.38284 |
| published_at |
2026-04-18T12:55:00Z |
|
| 1 |
| value |
0.0017 |
| scoring_system |
epss |
| scoring_elements |
0.38318 |
| published_at |
2026-04-11T12:55:00Z |
|
| 2 |
| value |
0.0017 |
| scoring_system |
epss |
| scoring_elements |
0.38282 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.0017 |
| scoring_system |
epss |
| scoring_elements |
0.38257 |
| published_at |
2026-04-13T12:55:00Z |
|
| 4 |
| value |
0.0017 |
| scoring_system |
epss |
| scoring_elements |
0.38304 |
| published_at |
2026-04-16T12:55:00Z |
|
| 5 |
| value |
0.00175 |
| scoring_system |
epss |
| scoring_elements |
0.39001 |
| published_at |
2026-04-02T12:55:00Z |
|
| 6 |
| value |
0.00175 |
| scoring_system |
epss |
| scoring_elements |
0.39019 |
| published_at |
2026-04-09T12:55:00Z |
|
| 7 |
| value |
0.00175 |
| scoring_system |
epss |
| scoring_elements |
0.39004 |
| published_at |
2026-04-08T12:55:00Z |
|
| 8 |
| value |
0.00175 |
| scoring_system |
epss |
| scoring_elements |
0.38952 |
| published_at |
2026-04-07T12:55:00Z |
|
| 9 |
| value |
0.00175 |
| scoring_system |
epss |
| scoring_elements |
0.3902 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-1249 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| purl |
pkg:maven/org.keycloak/keycloak-services@24.0.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-41hy-n7tz-3bee |
|
| 2 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 3 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 4 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 5 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 6 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 7 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 8 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 9 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 10 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 11 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 12 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 13 |
| vulnerability |
VCID-ezqk-pyhr-5ffj |
|
| 14 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 15 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 16 |
| vulnerability |
VCID-j4ar-u2rr-qkfu |
|
| 17 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 18 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 19 |
| vulnerability |
VCID-n76a-pfh2-57bn |
|
| 20 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 21 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 22 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 23 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 24 |
| vulnerability |
VCID-v7r6-3873-77dc |
|
| 25 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 26 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 27 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 28 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 29 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 30 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 31 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
| 32 |
| vulnerability |
VCID-ysyw-rgyv-bkhj |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@24.0.3 |
|
|
| aliases |
CVE-2024-1249, GHSA-m6q9-p373-g5q8
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-z2bw-n4x2-a7gj |
|
| 45 |
| url |
VCID-zp22-a33x-bqfq |
| vulnerability_id |
VCID-zp22-a33x-bqfq |
| summary |
Duplicate Advisory: Keycloak Session Fixation vulnerability
# Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-5rxp-2rhr-qwqv. This link is maintained to preserve external references.
# Original Description
A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when `the turnOffChangeSessionIdOnLogin` option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
| reference_url |
https://github.com/keycloak/keycloak |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
7.1 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H |
|
| 1 |
| value |
7.5 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
|
| 2 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/keycloak/keycloak |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:maven/org.keycloak/keycloak-services@25.0.5 |
| purl |
pkg:maven/org.keycloak/keycloak-services@25.0.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-2dgp-xdrz-q7dv |
|
| 1 |
| vulnerability |
VCID-5f8r-n4mm-y3g6 |
|
| 2 |
| vulnerability |
VCID-5vwq-aqk5-nkh9 |
|
| 3 |
| vulnerability |
VCID-5zh4-963a-q3gp |
|
| 4 |
| vulnerability |
VCID-6hy1-r23s-cbhy |
|
| 5 |
| vulnerability |
VCID-7c1j-kcbb-v3f1 |
|
| 6 |
| vulnerability |
VCID-bhrr-nn9f-7udu |
|
| 7 |
| vulnerability |
VCID-by72-dvnw-m3gu |
|
| 8 |
| vulnerability |
VCID-cdsa-wmby-ebbq |
|
| 9 |
| vulnerability |
VCID-d2rd-6u56-yfd8 |
|
| 10 |
| vulnerability |
VCID-d6ku-ys87-cqh4 |
|
| 11 |
| vulnerability |
VCID-e4ub-v4ef-affb |
|
| 12 |
| vulnerability |
VCID-gnxr-2t9g-4ye4 |
|
| 13 |
| vulnerability |
VCID-gzz6-md9v-b3em |
|
| 14 |
| vulnerability |
VCID-m3uj-4mag-kbf2 |
|
| 15 |
| vulnerability |
VCID-mku9-3bpp-aqbk |
|
| 16 |
| vulnerability |
VCID-nxhc-rp71-hbdk |
|
| 17 |
| vulnerability |
VCID-pjgz-fa5h-tkfh |
|
| 18 |
| vulnerability |
VCID-qgbq-s33g-d7af |
|
| 19 |
| vulnerability |
VCID-uuf2-u7xh-uuef |
|
| 20 |
| vulnerability |
VCID-ver5-9t6m-c3ef |
|
| 21 |
| vulnerability |
VCID-vstv-ec14-quc5 |
|
| 22 |
| vulnerability |
VCID-w5f1-xryr-fucq |
|
| 23 |
| vulnerability |
VCID-x4aw-v76q-vbdc |
|
| 24 |
| vulnerability |
VCID-xd7x-aevv-cfcp |
|
| 25 |
| vulnerability |
VCID-xfnw-15sz-zyfr |
|
| 26 |
| vulnerability |
VCID-y1h3-yyn9-53fr |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:maven/org.keycloak/keycloak-services@25.0.5 |
|
|
| aliases |
GHSA-j76j-rqwj-jmvv
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-zp22-a33x-bqfq |
|