VulnerableCode Package Details - pkg:maven/org.keycloak/keycloak-core@26.0.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-heqp-u355-wyaz Aliases: CVE-2024-10039 GHSA-93ww-43rr-79v3	Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication mechanism.	26.0.6 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-kp25-fan9-jkd2 Aliases: CVE-2024-4028 GHSA-q4xq-445g-g6ch	Keycloak allows cross-site scripting (XSS) A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack.	26.1.3 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-heqp-u355-wyaz
Aliases:
CVE-2024-10039
GHSA-93ww-43rr-79v3

Keycloak mTLS Authentication Bypass via Reverse Proxy TLS Termination A vulnerability was found in Keycloak. Deployments of Keycloak with a reverse proxy not using pass-through termination of TLS, with mTLS enabled, are affected. This issue may allow an attacker on the local network to authenticate as any user or client that leverages mTLS as the authentication mechanism.

26.0.6
Affected by 1 other vulnerability.

VCID-kp25-fan9-jkd2
Aliases:
CVE-2024-4028
GHSA-q4xq-445g-g6ch

Keycloak allows cross-site scripting (XSS) A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack.

26.1.3
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-29T22:02:36.485630+00:00	GitLab Importer	Affected by	VCID-kp25-fan9-jkd2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-core/CVE-2024-4028.yml	38.5.0
2026-04-29T21:56:56.400065+00:00	GitLab Importer	Affected by	VCID-heqp-u355-wyaz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-core/CVE-2024-10039.yml	38.5.0
2026-04-16T23:21:13.809984+00:00	GitLab Importer	Affected by	VCID-kp25-fan9-jkd2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-core/CVE-2024-4028.yml	38.4.0
2026-04-16T23:15:38.827591+00:00	GitLab Importer	Affected by	VCID-heqp-u355-wyaz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-core/CVE-2024-10039.yml	38.4.0
2026-04-12T00:40:15.733621+00:00	GitLab Importer	Affected by	VCID-kp25-fan9-jkd2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-core/CVE-2024-4028.yml	38.3.0
2026-04-12T00:34:17.795362+00:00	GitLab Importer	Affected by	VCID-heqp-u355-wyaz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-core/CVE-2024-10039.yml	38.3.0
2026-04-03T00:48:11.322581+00:00	GitLab Importer	Affected by	VCID-kp25-fan9-jkd2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-core/CVE-2024-4028.yml	38.1.0
2026-04-03T00:42:01.787815+00:00	GitLab Importer	Affected by	VCID-heqp-u355-wyaz	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.keycloak/keycloak-core/CVE-2024-10039.yml	38.1.0