Search for packages
| purl | pkg:maven/org.keycloak/keycloak-parent@22.0.3 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-3jpe-awam-wqdz
Aliases: CVE-2026-0707 GHSA-gv94-wp4h-vv8p |
Keycloak has Incorrect Behavior Order: Authorization Before Parsing and Canonicalization A flaw was found in Keycloak. The Keycloak Authorization header parser is overly permissive regarding the formatting of the "Bearer" authentication scheme. It accepts non-standard characters (such as tabs) as separators and tolerates case variations that deviate from RFC 6750 specifications. |
Affected by 2 other vulnerabilities. |
|
VCID-jkh6-bvx2-dycm
Aliases: CVE-2026-1518 GHSA-fwhw-chw4-gh37 |
Keycloak Server-Side Request Forgery (SSRF) vulnerability A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services. |
Affected by 1 other vulnerability. |
|
VCID-nhe2-8dtq-gqbf
Aliases: CVE-2023-6291 GHSA-mpwq-j3xf-7m5w |
URL Redirection to Untrusted Site ('Open Redirect') A flaw was found in the redirect_uri validation logic in Keycloak. This issue may allow a bypass of otherwise explicitly allowed hosts. A successful attack may lead to an access token being stolen, making it possible for the attacker to impersonate other users. |
Affected by 3 other vulnerabilities. |
|
VCID-umcf-t6w5-juha
Aliases: CVE-2019-14910 GHSA-jf86-9434-f8c2 |
Keycloak Authentication Error A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-gfj3-2set-rycr | Cleartext Transmission of Sensitive Information A flaw was found in the Keycloak package, more specifically org.keycloak.userprofile. When a user registers itself through registration flow, the "password" and "password-confirm" field from the form will occur as regular user attributes. All users and clients with proper rights and roles are able to read users attributes, allowing a malicious user with minimal access to retrieve the users passwords in clear text, jeopardizing their environment. |
CVE-2023-4918
GHSA-5q66-v53q-pm35 |