Search for packages
| purl | pkg:maven/org.keycloak/keycloak-parent@20.0.5 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3jpe-awam-wqdz
Aliases: CVE-2026-0707 GHSA-gv94-wp4h-vv8p |
Keycloak has Incorrect Behavior Order: Authorization Before Parsing and Canonicalization A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications. |
Affected by 2 other vulnerabilities. |
|
VCID-jkh6-bvx2-dycm
Aliases: CVE-2026-1518 GHSA-fwhw-chw4-gh37 |
Keycloak Server-Side Request Forgery (SSRF) vulnerability A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services. |
Affected by 1 other vulnerability. |
|
VCID-nhe2-8dtq-gqbf
Aliases: CVE-2023-6291 GHSA-mpwq-j3xf-7m5w |
URL Redirection to Untrusted Site ('Open Redirect') A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users. |
Affected by 3 other vulnerabilities. |
|
VCID-umcf-t6w5-juha
Aliases: CVE-2019-14910 GHSA-jf86-9434-f8c2 |
Keycloak Authentication Error A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-ebn8-cjqs-k3ad | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker. |
CVE-2022-4137
GHSA-9hhc-pj4w-w5rv GMS-2023-616 |