Search for packages
| purl | pkg:maven/org.keycloak/keycloak-parent@15.0.2 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3jpe-awam-wqdz
Aliases: CVE-2026-0707 GHSA-gv94-wp4h-vv8p |
Keycloak has Incorrect Behavior Order: Authorization Before Parsing and Canonicalization A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications. |
Affected by 2 other vulnerabilities. |
|
VCID-7z49-f322-n7g8
Aliases: CVE-2022-2668 GHSA-wf7g-7h6h-678v |
Keycloak SAML javascript protocol mapper: Uploading of scripts through admin console An issue was discovered in Keycloak allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the `UPLOAD_SCRIPTS` feature is disabled |
Affected by 6 other vulnerabilities. |
|
VCID-8cmx-d3j7-vqbz
Aliases: GHSA-m98g-63qj-fp8j GMS-2022-1097 |
Reflected XSS on clients-registrations endpoint A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak. When a malicious request is sent to the client registration endpoint, the error message is not properly escaped, allowing an attacker to execute malicious scripts into the user's browser. |
Affected by 8 other vulnerabilities. |
|
VCID-8zrg-f41g-pqfk
Aliases: CVE-2021-3827 GHSA-4pc7-vqv5-5r3v GMS-2022-1098 |
ECP SAML binding bypasses authentication flows ### Description A flaw was found in keycloak, where the default ECP binding flow allows other authentication flows to be bypassed. By exploiting this behavior, an attacker can bypass the MFA authentication by sending a SOAP request with an AuthnRequest and Authorization header with the user's credentials. The highest threat from this vulnerability is to confidentiality and integrity. |
Affected by 8 other vulnerabilities. |
|
VCID-cabc-jrpz-vuad
Aliases: CVE-2022-2256 GHSA-w9mf-83w3-fv49 |
Keycloak vulnerable to Stored Cross site Scripting (XSS) when loading default roles A Stored XSS vulnerability was reported in the Keycloak Security mailing list, affecting all the versions of Keycloak, including the latest release (18.0.1). The vulnerability allows a privileged attacker to execute malicious scripts in the admin console, abusing of the default roles functionality. ### CVSS 3.1 - **3.8** **Vector String:** AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N **Vector Clarification:** * User interaction is not required as the admin console is regularly used during an administrator's work * The scope is unchanged since the admin console web application is both the vulnerable component and where the exploit executes ### Credits Aytaç Kalıncı, Ilker Bulgurcu, Yasin Yılmaz (@aytackalinci, @smileronin, @yasinyilmaz) - NETAŞ PENTEST TEAM |
Affected by 6 other vulnerabilities. |
|
VCID-dxj3-8sk5-mfdy
Aliases: CVE-2022-3916 GHSA-97g8-xfvw-q4hg GMS-2022-8406 |
Insufficient Session Expiration A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user. |
Affected by 4 other vulnerabilities. |
|
VCID-gndk-728r-9yh7
Aliases: CVE-2021-3632 GHSA-qpq9-jpv4-6gwr |
Keycloak allows anyone to register new security device or key for any user by using WebAuthn password-less login flow A flaw was found in Keycloak. This vulnerability allows anyone to register a new security device or key when there is not a device already registered for any user by using the WebAuthn password-less login flow. |
Affected by 11 other vulnerabilities. |
|
VCID-jkh6-bvx2-dycm
Aliases: CVE-2026-1518 GHSA-fwhw-chw4-gh37 |
Keycloak Server-Side Request Forgery (SSRF) vulnerability A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services. |
Affected by 1 other vulnerability. |
|
VCID-nhe2-8dtq-gqbf
Aliases: CVE-2023-6291 GHSA-mpwq-j3xf-7m5w |
URL Redirection to Untrusted Site ('Open Redirect') A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users. |
Affected by 3 other vulnerabilities. |
|
VCID-u3tj-vmem-jbb9
Aliases: CVE-2021-4133 GHSA-83x4-9cwr-5487 |
Incorrect Authorization A flaw was found in Keycloak which allows an attacker with any existing user account to create new default user accounts via the administrative REST API even when new user registration is disabled. |
Affected by 10 other vulnerabilities. |
|
VCID-umcf-t6w5-juha
Aliases: CVE-2019-14910 GHSA-jf86-9434-f8c2 |
Keycloak Authentication Error A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered. | There are no reported fixed by versions. |
|
VCID-xauc-r9cm-sycu
Aliases: CVE-2022-3782 GHSA-g8q8-fggx-9r3q GMS-2022-8407 |
Keycloak vulnerable to path traversal via double URL encoding Keycloak does not properly validate URLs included in a redirect. An attacker could construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain, or possibly conduct further attacks. |
Affected by 5 other vulnerabilities. Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||