Search for packages
| purl | pkg:maven/org.keycloak/keycloak-services@26.2.3 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2dgp-xdrz-q7dv
Aliases: GHSA-qj5r-2r5p-phc7 |
Duplicate Advisory: Keycloak-services SMTP Inject Vulnerability ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-m4j5-5x4r-2xp9. This link is maintained to preserve external references. ### Original Description A vulnerability was found in Keycloak-services. Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks. |
Affected by 13 other vulnerabilities. |
|
VCID-5f8r-n4mm-y3g6
Aliases: CVE-2025-7365 GHSA-xhpr-465j-7p9q |
Keycloak phishing attack via email verification step in first login flow There is a flaw with the first login flow where, during a IdP login, an attacker with a registered account can initiate the process to merge accounts with an existing victim's account. The attacker will subsequently be prompted to "review profile" information, which allows the the attacker to modify their email address to that of a victim's account. This triggers a verification email sent to the victim's email address. If the victim clicks the verification link, the attacker can gain access to the victim's account. While not a zero-interaction attack, the attacker's email address is not directly present in the verification email content, making it a potential phishing opportunity. This issue has been fixed in versions 26.0.13, 26.2.6, and 26.3.0. |
Affected by 0 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-5vwq-aqk5-nkh9
Aliases: CVE-2026-1190 GHSA-63v5-26vq-m4vm |
Keycloak's missing timestamp validation allows attackers to extend SAML response validity periods A flaw was found in Keycloak's SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption. |
Affected by 10 other vulnerabilities. |
|
VCID-7c1j-kcbb-v3f1
Aliases: CVE-2026-3911 GHSA-xh32-c9wx-phrp |
Keycloak: Information disclosure of disabled user attributes via administrative endpoint A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data. |
Affected by 5 other vulnerabilities. |
|
VCID-9f1k-z7z2-d7cc
Aliases: CVE-2025-7784 GHSA-27gp-8389-hm4w |
Keycloak Privilege Escalation Vulnerability in Admin Console (FGAPv2 Enabled) A Privilege Escalation vulnerability was identified in the Keycloak identity and access management solution, specifically when FGAPv2 is enabled in version 26.2.x. The flaw lies in the admin permission enforcement logic, where a user with manage-users privileges can self-assign realm-admin rights. The escalation occurs due to missing privilege boundary checks in role mapping operations via the admin REST interface. A malicious administrator with limited permissions can exploit this by editing their own user roles, gaining unauthorized full access to realm configuration and user data. This issue has been fixed in versions 26.2.6, and 26.3.0. |
Affected by 0 other vulnerabilities. Affected by 20 other vulnerabilities. |
|
VCID-gnxr-2t9g-4ye4
Aliases: CVE-2025-8419 GHSA-m4j5-5x4r-2xp9 |
Keycloak SMTP Inject Vulnerability Special characters used during e-mail registration may perform SMTP Injection and unexpectedly send short unwanted e-mails. The email is limited to 64 characters (limited local part of the email), so the attack is limited to very shorts emails (subject and little data, the example is 60 chars). This flaw's only direct consequence is an unsolicited email being sent from the Keycloak server. However, this action could be a precursor for more sophisticated attacks. |
Affected by 0 other vulnerabilities. Affected by 13 other vulnerabilities. |
|
VCID-gzz6-md9v-b3em
Aliases: CVE-2026-3009 GHSA-m297-3jv9-m927 |
Keycloak allows authentication using an Identity Provider (IdP) even after it has been disabled by an administrator A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider. |
Affected by 9 other vulnerabilities. |
|
VCID-m3uj-4mag-kbf2
Aliases: CVE-2026-2733 GHSA-fjf4-6f34-w64q |
Keycloak: Missing Check on Disabled Client for Docker Registry Protocol A flaw was identified in the Docker v2 authentication endpoint of Keycloak, where tokens continue to be issued even after a Docker registry client has been administratively disabled. This means that turning the client “Enabled” setting to OFF does not fully prevent access. As a result, previously valid credentials can still be used to obtain authentication tokens. This weakens administrative controls and could allow unintended access to container registry resources. |
Affected by 8 other vulnerabilities. |
|
VCID-mdkf-3bgs-w7dm
Aliases: CVE-2026-4874 GHSA-22rm-wp4x-v5cx |
Keycloak Server-Side Request Forgery via OIDC token endpoint manipulation A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure. |
Affected by 0 other vulnerabilities. |
|
VCID-mku9-3bpp-aqbk
Aliases: GHSA-83j7-mhw9-388w |
Duplicate Advisory: Keycloak Privilege Escalation Vulnerability in Admin Console (FGAPv2 Enabled) ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-27gp-8389-hm4w. This link is maintained to preserve external references. ### Original Description A flaw was found in the Keycloak identity and access management system when Fine-Grained Admin Permissions (FGAPv2) are enabled. An administrative user with the manage-users role can escalate their privileges to realm-admin due to improper privilege enforcement. This vulnerability allows unauthorized elevation of access rights, compromising the intended separation of administrative duties and posing a security risk to the realm. |
Affected by 15 other vulnerabilities. |
|
VCID-nxhc-rp71-hbdk
Aliases: GHSA-gj52-35xm-gxjh |
Duplicate Advisory: Keycloak phishing attack via email verification step in first login flow ### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-xhpr-465j-7p9q. This link is maintained to preserve external references. ### Original Description A flaw was found in Keycloak. When an authenticated attacker attempts to merge accounts with another existing account during an identity provider (IdP) login, the attacker will subsequently be prompted to "review profile" information. This vulnerability allows the attacker to modify their email address to match that of a victim's account, triggering a verification email sent to the victim's email address. The attacker's email address is not present in the verification email content, making it a potential phishing opportunity. If the victim clicks the verification link, the attacker can gain access to the victim's account. |
Affected by 20 other vulnerabilities. |
|
VCID-qgbq-s33g-d7af
Aliases: CVE-2026-3429 GHSA-8g9r-9wjw-37j4 |
Keycloak: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered MFA/OTP credential without first proving possession of that factor. The attacker can then register their own MFA device, effectively taking full control of the account. This weakness undermines the intended protection provided by multi-factor authentication. |
Affected by 4 other vulnerabilities. |
|
VCID-szbr-v2vq-3kbn
Aliases: CVE-2026-3121 GHSA-7xf9-4jfc-wgm4 |
Keycloak: manage-clients permission escalates to full realm admin access A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level. |
Affected by 5 other vulnerabilities. |
|
VCID-ugtk-3bjv-s3a4
Aliases: CVE-2026-4628 GHSA-4pgc-gfrr-wcmg |
Keycloak has Improper Access Control allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. This issue enables unauthorized modification of protected resources, impacting data integrity. |
Affected by 0 other vulnerabilities. |
|
VCID-v77w-st1u-pfe6
Aliases: CVE-2026-3190 GHSA-q35r-vvhv-vx5h |
Keycloak: Missing Role Enforcement on UMA 2.0 Permission Ticket Endpoint Leads to Information Disclosure A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection` role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure. |
Affected by 5 other vulnerabilities. |
|
VCID-ver5-9t6m-c3ef
Aliases: CVE-2025-14083 GHSA-594w-2fwp-jwrc |
Keycloak Admin REST API exposes backend schema and rules A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control. |
Affected by 20 other vulnerabilities. |
|
VCID-w5f1-xryr-fucq
Aliases: CVE-2026-1035 GHSA-m2w5-7xhv-w6fh |
Keycloak does not validate and update refresh token usage atomically A flaw was found in the Keycloak server during refresh token processing, specifically in the TokenManager class responsible for enforcing refresh token reuse policies. When strict refresh token rotation is enabled, the validation and update of refresh token usage are not performed atomically. This allows concurrent refresh requests to bypass single-use enforcement and issue multiple access tokens from the same refresh token. As a result, Keycloak’s refresh token rotation hardening can be undermined. |
Affected by 20 other vulnerabilities. |
|
VCID-x4aw-v76q-vbdc
Aliases: CVE-2025-12150 GHSA-7g5x-9c4v-4w5r |
Keycloak REST Services has a WebAuthn Attestation Statement Verification Bypass A flaw was found in Keycloak’s WebAuthn registration component. This vulnerability allows an attacker to bypass the configured attestation policy and register untrusted or forged authenticators via submission of an attestation object with fmt: "none", even when the realm is configured to require direct attestation. This can lead to weakened authentication integrity and unauthorized authenticator registration. |
Affected by 12 other vulnerabilities. |
|
VCID-xd7x-aevv-cfcp
Aliases: CVE-2026-2575 GHSA-xv6h-r36f-3gp5 |
Keycloak: Denial of Service due to excessive SAMLRequest decompression A flaw was found in Keycloak. An unauthenticated remote attacker can trigger an application level Denial of Service (DoS) by sending a highly compressed SAMLRequest through the SAML Redirect Binding. The server fails to enforce size limits during DEFLATE decompression, leading to an OutOfMemoryError (OOM) and subsequent process termination. This vulnerability allows an attacker to disrupt the availability of the service. |
Affected by 8 other vulnerabilities. |
|
VCID-xfnw-15sz-zyfr
Aliases: CVE-2025-14082 GHSA-6q37-7866-h27j |
Keycloak Admin REST (Representational State Transfer) API does not properly enforce permissions A flaw was found in Keycloak Admin REST (Representational State Transfer) API. This vulnerability allows information disclosure of sensitive role metadata via insufficient authorization checks on the /admin/realms/{realm}/roles endpoint. |
Affected by 18 other vulnerabilities. |
|
VCID-y1h3-yyn9-53fr
Aliases: CVE-2026-2603 GHSA-x4p7-7chp-64hq |
Keycloak: Unauthorized authentication via disabled SAML Identity Provider A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication. |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-uuf2-u7xh-uuef | Keycloak does not invalidate offline sessions when the offline_access scope is removed A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are. |
CVE-2025-12110
GHSA-895x-rfqp-jh5c |