Search for packages
| purl | pkg:maven/org.keycloak/keycloak-parent@20.0.2 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3jpe-awam-wqdz
Aliases: CVE-2026-0707 GHSA-gv94-wp4h-vv8p |
Keycloak has Incorrect Behavior Order: Authorization Before Parsing and Canonicalization A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications. |
Affected by 2 other vulnerabilities. |
|
VCID-jkh6-bvx2-dycm
Aliases: CVE-2026-1518 GHSA-fwhw-chw4-gh37 |
Keycloak Server-Side Request Forgery (SSRF) vulnerability A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services. |
Affected by 1 other vulnerability. |
|
VCID-nhe2-8dtq-gqbf
Aliases: CVE-2023-6291 GHSA-mpwq-j3xf-7m5w |
URL Redirection to Untrusted Site ('Open Redirect') A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users. |
Affected by 3 other vulnerabilities. |
|
VCID-umcf-t6w5-juha
Aliases: CVE-2019-14910 GHSA-jf86-9434-f8c2 |
Keycloak Authentication Error A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-dxj3-8sk5-mfdy | Insufficient Session Expiration A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user. |
CVE-2022-3916
GHSA-97g8-xfvw-q4hg GMS-2022-8406 |
| VCID-xauc-r9cm-sycu | Keycloak vulnerable to path traversal via double URL encoding Keycloak does not properly validate URLs included in a redirect. An attacker could construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain, or possibly conduct further attacks. |
CVE-2022-3782
GHSA-g8q8-fggx-9r3q GMS-2022-8407 |