Search for packages
| purl | pkg:maven/org.keycloak/keycloak-services@26.5.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-7c1j-kcbb-v3f1
Aliases: CVE-2026-3911 GHSA-xh32-c9wx-phrp |
Keycloak: Information disclosure of disabled user attributes via administrative endpoint A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data. |
Affected by 5 other vulnerabilities. |
|
VCID-c1zj-whnw-1qf6
Aliases: CVE-2026-37980 GHSA-m32f-8vh9-2hh3 |
Keycloak: Arbitrary code execution via Stored Cross-Site Scripting (XSS) in organization selection login page | There are no reported fixed by versions. |
|
VCID-mdkf-3bgs-w7dm
Aliases: CVE-2026-4874 GHSA-22rm-wp4x-v5cx |
Keycloak Server-Side Request Forgery via OIDC token endpoint manipulation A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure. |
Affected by 0 other vulnerabilities. |
|
VCID-qgbq-s33g-d7af
Aliases: CVE-2026-3429 GHSA-8g9r-9wjw-37j4 |
Keycloak: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered MFA/OTP credential without first proving possession of that factor. The attacker can then register their own MFA device, effectively taking full control of the account. This weakness undermines the intended protection provided by multi-factor authentication. |
Affected by 4 other vulnerabilities. |
|
VCID-szbr-v2vq-3kbn
Aliases: CVE-2026-3121 GHSA-7xf9-4jfc-wgm4 |
Keycloak: manage-clients permission escalates to full realm admin access A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level. |
Affected by 5 other vulnerabilities. |
|
VCID-tc9b-zzjt-63c7
Aliases: CVE-2026-2092 GHSA-wmxr-6j5f-838p |
Keycloak: Unauthorized access via improper validation of encrypted SAML assertions A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure. | There are no reported fixed by versions. |
|
VCID-ugtk-3bjv-s3a4
Aliases: CVE-2026-4628 GHSA-4pgc-gfrr-wcmg |
Keycloak has Improper Access Control allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. This issue enables unauthorized modification of protected resources, impacting data integrity. |
Affected by 0 other vulnerabilities. |
|
VCID-v77w-st1u-pfe6
Aliases: CVE-2026-3190 GHSA-q35r-vvhv-vx5h |
Keycloak: Missing Role Enforcement on UMA 2.0 Permission Ticket Endpoint Leads to Information Disclosure A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection` role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure. |
Affected by 5 other vulnerabilities. |
|
VCID-y1h3-yyn9-53fr
Aliases: CVE-2026-2603 GHSA-x4p7-7chp-64hq |
Keycloak: Unauthorized authentication via disabled SAML Identity Provider A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication. |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-gzz6-md9v-b3em | Keycloak allows authentication using an Identity Provider (IdP) even after it has been disabled by an administrator A security flaw in the IdentityBrokerService.performLogin endpoint of Keycloak allows authentication to proceed using an Identity Provider (IdP) even after it has been disabled by an administrator. An attacker who knows the IdP alias can reuse a previously generated login request to bypass the administrative restriction. This undermines access control enforcement and may allow unauthorized authentication through a disabled external provider. |
CVE-2026-3009
GHSA-m297-3jv9-m927 |
| VCID-tc9b-zzjt-63c7 | Keycloak: Unauthorized access via improper validation of encrypted SAML assertions A flaw was found in Keycloak. Keycloak's Security Assertion Markup Language (SAML) broker endpoint does not properly validate encrypted assertions when the overall SAML response is not signed. An attacker with a valid signed SAML assertion can exploit this by crafting a malicious SAML response. This allows the attacker to inject an encrypted assertion for an arbitrary principal, leading to unauthorized access and potential information disclosure. |
CVE-2026-2092
GHSA-wmxr-6j5f-838p |