Search for packages
| purl | pkg:maven/org.keycloak/keycloak-services@26.5.6 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-a5d9-k9vd-fyfe
Aliases: CVE-2026-4633 GHSA-rhgq-f8x5-j2jc |
Keycloak's identity-first login flow exposes user information A flaw was found in Keycloak. A remote attacker can exploit differential error messages during the identity-first login flow when Organizations are enabled. This vulnerability allows an attacker to determine the existence of users, leading to information disclosure through user enumeration. |
Affected by 2 other vulnerabilities. |
|
VCID-mdkf-3bgs-w7dm
Aliases: CVE-2026-4874 GHSA-22rm-wp4x-v5cx |
Keycloak Server-Side Request Forgery via OIDC token endpoint manipulation A flaw was found in Keycloak. An authenticated attacker can perform Server-Side Request Forgery (SSRF) by manipulating the `client_session_host` parameter during refresh token requests. This occurs when a Keycloak client is configured to use the `backchannel.logout.url` with the `application.session.host` placeholder. Successful exploitation allows the attacker to make HTTP requests from the Keycloak server’s network context, potentially probing internal networks or internal APIs, leading to information disclosure. |
Affected by 0 other vulnerabilities. |
|
VCID-qgbq-s33g-d7af
Aliases: CVE-2026-3429 GHSA-8g9r-9wjw-37j4 |
Keycloak: Improper Access Control Leading to MFA Deletion and Account Takeover in Keycloak Account REST API A flaw was identified in the Account REST API of Keycloak that allows a user authenticated at a lower security level to perform sensitive actions intended only for higher-assurance sessions. Specifically, an attacker who has already obtained a victim’s password can delete the victim’s registered MFA/OTP credential without first proving possession of that factor. The attacker can then register their own MFA device, effectively taking full control of the account. This weakness undermines the intended protection provided by multi-factor authentication. |
Affected by 4 other vulnerabilities. |
|
VCID-ugtk-3bjv-s3a4
Aliases: CVE-2026-4628 GHSA-4pgc-gfrr-wcmg |
Keycloak has Improper Access Control allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false A flaw was found in Keycloak. An improper Access Control vulnerability in Keycloak’s User-Managed Access (UMA) resource_set endpoint allows attackers with valid credentials to bypass the allowRemoteResourceManagement=false restriction. This occurs due to incomplete enforcement of access control checks on PUT operations to the resource_set endpoint. This issue enables unauthorized modification of protected resources, impacting data integrity. |
Affected by 0 other vulnerabilities. |
|
VCID-y1h3-yyn9-53fr
Aliases: CVE-2026-2603 GHSA-x4p7-7chp-64hq |
Keycloak: Unauthorized authentication via disabled SAML Identity Provider A flaw was found in Keycloak. A remote attacker could bypass security controls by sending a valid SAML response from an external Identity Provider (IdP) to the Keycloak SAML endpoint for IdP-initiated broker logins. This allows the attacker to complete broker logins even when the SAML Identity Provider is disabled, leading to unauthorized authentication. |
Affected by 2 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-7c1j-kcbb-v3f1 | Keycloak: Information disclosure of disabled user attributes via administrative endpoint A flaw was found in Keycloak. An authenticated user with the view-users role could exploit a vulnerability in the UserResource component. By accessing a specific administrative endpoint, this user could improperly retrieve user attributes that were configured to be hidden. This unauthorized information disclosure could expose sensitive user data. |
CVE-2026-3911
GHSA-xh32-c9wx-phrp |
| VCID-szbr-v2vq-3kbn | Keycloak: manage-clients permission escalates to full realm admin access A flaw was found in Keycloak. An administrator with `manage-clients` permission can exploit a misconfiguration where this permission is equivalent to `manage-permissions`. This allows the administrator to escalate privileges and gain control over roles, users, or other administrative functions within the realm. This privilege escalation can occur when admin permissions are enabled at the realm level. |
CVE-2026-3121
GHSA-7xf9-4jfc-wgm4 |
| VCID-v77w-st1u-pfe6 | Keycloak: Missing Role Enforcement on UMA 2.0 Permission Ticket Endpoint Leads to Information Disclosure A flaw was found in Keycloak. The User-Managed Access (UMA) 2.0 Protection API endpoint for permission tickets fails to enforce the `uma_protection` role check. This allows any authenticated user with a token issued for a resource server client, even without the `uma_protection` role, to enumerate all permission tickets in the system. This vulnerability partial leads to information disclosure. |
CVE-2026-3190
GHSA-q35r-vvhv-vx5h |